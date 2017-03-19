WikiLeaks Won't Tell Tech Companies How To Patch CIA Zero-Days Until Demands Are Met (fortune.com) 42
"WikiLeaks has made initial contact with us via secure@microsoft.com," a Microsoft spokesperson told Motherboard -- but then things apparently stalled. An anonymous reader quotes Fortune: Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security "zero days" and other surveillance methods in the possession of the Central Intelligence Agency... Wikileaks' demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard's sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions.
Julian Assange announced Friday that Mozilla had already received information after agreeing to their "industry standard responsible disclosure plan," then added that "most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA." Assange suggested users "may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves."
Re: (Score:2)
Regardless, what of it? Extortion is wrong. Period. The fact that someone else extorted first doesn't make your extortion of others right.
Re:This is extortion (Score:4, Insightful)
Depends what the agreement is.
It could simply have been, we'll disclose this to you, if you promise not to sue us for posting it publicly after 90 days. That would be quite reasonable.
You'r rushing to judge them without all the facts. But that's in vogue these days.
Re: (Score:2)
I wonder why wikileaks doesn't leak the agreement terms?
Re: (Score:1)
I wonder why wikileaks doesn't leak the agreement terms?
maybe so somebody can say this:
You'r rushing to judge them without all the facts. But that's in vogue these days.
:p
Re: This is extortion (Score:3)
Has any software vendor of note tried to sue people for public disclosure of security flaws? If so, what was the outcome?
I struggle to see a good-faith reason for WikiLeaks to require agreement to any terms before they tell vendors about these flaws. It gives the impression that they want the bugs to stay open and/or have a political stick to beat the vendors with.
Re: (Score:2)
It's wikileaks fault all the facts aren't out. They have all the cards, and are only showing some, so fuck them.
Re: (Score:2)
I agree, looks like we are starting to see Julian's true colours. He lost my support around the US election for bullshit like this. I am ashamed of you Mr. Ashange
Re: (Score:2)
This is extortion.
No, it isn't. Extortion is defined as the use of force or threat to achieve a gain of some sort for the party threatening the use of force (i.e., I put a gun to your head and say "I won't shoot you if you give me $100, otherwise I will").
It also isn't blackmail unless Wikileaks is attempting to achieve some sort of gain for themselves by threatening to release the information publicly unless these companies fail to pay them.
In other words, if wikileaks isn't gaining anything (money etc) from this, i
Re: Sounds reasonable to me (Score:4, Insightful)
There are no good guys in this scenario. Wikileaks is so focused on their little crusade for openness that they've adopted the same "the end justifies the means" approach as the CIA and NSA.
European companies prioritize their customers? (Score:1)
I was not aware that prioritizing customers over government contracts was a practice that only European companies were capable of. Doesn't having government contracts mean that the government is your customer? How exactly is that supposed to work? Maybe Assange meant to say "may prefer organizations such as Mozilla or European companies that prioritize their users over United States government contracts."
This just in (Score:1)
Assange fighting to stay relevant by any means possible. News at 11.
Re: (Score:2)
More news is coming in;
Person complains that a small group of freedom fighters arent fighting hard enough to protect their interests, suggests they should try harder.
They further complain about having to get out of bed, suggesting someone else should do it for them.
Of course it's easy for Mozilla... (Score:1)
Of course it's easy for Mozilla. It's always easy when you have no real customers, and very few users of your product. You can make all sorts of changes very quickly because you're pretty much working in a bubble. Nobody gets upset when a rushed fix causes regressions because there are so few users to begin with, and they may never actually experience the regression directly.
Re: (Score:1)
Don't let your nationalism blinds you.
They are in a position of inferior power towards the US gov. That's why they are in such defensive position.
And the news here are: "the us gov. is ACTUALLY spying on you and wikileaks knows how it is doing."
Re: (Score:2)
The world will make a lot more sense when you realize it's possible for both sides to be bad. Comparative ethics is not a zero sum game.
Wikileaks' intent to provide an outlet for whistle blowers to uncover corruption in various governments and and corporations had a lot of merit. Unfortunately the very model of "we don't care where it came from, we just post it" is its undoing. It didn't take long for governments to figure out if you can destroy it, use it.
They thought they could turn over the chess boar
I wonder how many of these 0-days are really new (Score:1)
For all we know, the CIA might have written deliberate vulnerabilities to be patched into production code. Either that, or maybe they bullied software companies into ignoring certain vulnerabilities that would otherwise be fixed. Considering how many tech companies have been enlisted by big-government and how many cover stories have been busted, nothing can surprise me anymore.
Re: (Score:2)
I see it this way. A vulnerability is found and an exploit is written. As time passes several things happen. The exploit gets distributed because of outsourcing and after a while there really are a lot of people who know about it. Other people also find out about the vulnerability. Some day software maker finds out and the bug is no longer zero day but the exploit will still work on unpatched systems so it sticks around until something much better replaces it.
As for the software company itself,I suspect mos
After firing most of their QA team, Microsoft... (Score:1)
simply can't commit to timelines. Most of my friends that worked there have either been laid off or quit due to ridiculous hours or vacation inequality, so their best programmers are no longer there. They simply can't fix problems in a timely manner any longer.
Fuck Wikileaks (Score:2)