Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Microsoft Security Google Government Mozilla Apple

WikiLeaks Won't Tell Tech Companies How To Patch CIA Zero-Days Until Demands Are Met (fortune.com) 228

"WikiLeaks has made initial contact with us via secure@microsoft.com," a Microsoft spokesperson told Motherboard -- but then things apparently stalled. An anonymous reader quotes Fortune: Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security "zero days" and other surveillance methods in the possession of the Central Intelligence Agency... Wikileaks' demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard's sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions.
Julian Assange announced Friday that Mozilla had already received information after agreeing to their "industry standard responsible disclosure plan," then added that "most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA." Assange suggested users "may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves."
This discussion has been archived. No new comments can be posted.

WikiLeaks Won't Tell Tech Companies How To Patch CIA Zero-Days Until Demands Are Met

Comments Filter:
  • This is extortion (Score:5, Informative)

    by Anonymous Coward on Sunday March 19, 2017 @03:44PM (#54070041)

    This is extortion. It's one thing to disclose leaked information to expose corruption, which is something good journalists do. However, journalism doesn't involve using leaked information as leverage to make demands. That is called extortion or blackmail. Wikileaks has shown that, at best, it's a criminal organization. I'm dismayed that so many people at Slashdot always rush to defend Wikileaks and Julian Assange in articles like these. It says a lot about the complete lack of character of most of the users on this site, which is also why there is so much tech-related crime. All of you should he ashamed of yourselves.

    • by green1 ( 322787 ) on Sunday March 19, 2017 @03:49PM (#54070057)

      Depends what the agreement is.

      It could simply have been, we'll disclose this to you, if you promise not to sue us for posting it publicly after 90 days. That would be quite reasonable.

      You'r rushing to judge them without all the facts. But that's in vogue these days.

      • Re:This is extortion (Score:5, Interesting)

        by Megol ( 3135005 ) on Sunday March 19, 2017 @04:05PM (#54070105)

        I wonder why wikileaks doesn't leak the agreement terms?

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          Why don't the tech companies that received the emails do it? The sources from the stories obviously are employees from the companies contacted and spoke to the journalist. Why don't they leak the agreement terms?

      • by Entrope ( 68843 ) on Sunday March 19, 2017 @04:23PM (#54070163) Homepage

        Has any software vendor of note tried to sue people for public disclosure of security flaws? If so, what was the outcome?

        I struggle to see a good-faith reason for WikiLeaks to require agreement to any terms before they tell vendors about these flaws. It gives the impression that they want the bugs to stay open and/or have a political stick to beat the vendors with.

        • by AmiMoJo ( 196126 ) <mojo&world3,net> on Sunday March 19, 2017 @05:53PM (#54070445) Homepage Journal

          They are doing it to find out which vendors are in bed with the CIA. If they won't agree to fix the bug in 90 days up front, chances are it's because they don't want to commit to fixing something that the CIA might be using with their knowledge/support.

          • by Entrope ( 68843 ) on Sunday March 19, 2017 @05:56PM (#54070461) Homepage

            Equally plausible: They're doing it because they're a front for the Kremlin.

            • by AmiMoJo ( 196126 )

              Either way, it's of massive benefit to us.

              • by Entrope ( 68843 )

                Please clarify. Do you mean that keeping the details of exploitable bugs away from the people who can fix them or thwart attacks is a "massive benefit to us"? Do you think that the Kremlin has the best interests of Americans at heart? Does the Kremlin pay you as a propagandist?

                • by AmiMoJo ( 196126 )

                  It is of great benefit to know what the exploits are and to know which companies don't want to fix them.

                  • by Entrope ( 68843 )

                    So why does Wikileaks want to keep the bugs secret from the companies that can fix them?

          • Re: (Score:3, Insightful)

            by Anonymous Coward

            Wow, tinfoil hat much?

            The more likely solution is that companies aren't willing to agree to fix a set of bugs within 90 days without even knowing what that set of bugs is. I think it would be incredibly irresponsible for someone to agree to do a set of work in a set timeframe without even knowing what that work is.

        • Has any software vendor of note tried to sue people for public disclosure of security flaws? If so, what was the outcome?

          I struggle to see a good-faith reason for WikiLeaks to require agreement to any terms before they tell vendors about these flaws. It gives the impression that they want the bugs to stay open and/or have a political stick to beat the vendors with.

          They've done worse than that. They've had the prosecuted as criminals.

          • by Entrope ( 68843 )

            [citation needed]

            Also: Companies do not decide what makes a crime, and do not (as far as I know of, in civilized countries) have the power to prosecute crimes.

      • It's wikileaks fault all the facts aren't out. They have all the cards, and are only showing some, so fuck them.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          So when Wikileaks releases raw dumps of leaked data, they get criticized because the data wasn't "curated" and personal information like cc numbers, phone numbers and addresses, social security, etc. are exposed. But when Wikileaks holds back information because the information contains sensitive and potentially harmful data , they get criticized. Wish you critics would make up your fucking mind.

          • Re:This is extortion (Score:5, Interesting)

            by bill_mcgonigle ( 4333 ) * on Sunday March 19, 2017 @05:28PM (#54070359) Homepage Journal

            Wish you critics would make up your fucking mind.

            You expect the CIA to not have professional complainers on the Internet? Cute. Look above and you have a guy who admits he does work for the "Navy" calling Wikileaks extortionists already (that word does not mean what he thinks it means).

            We can be quite sure Wikileaks isn't asking for anything for themselves for the disclosure (because they never have) - it seems like they must be asking for something for the users in return or they could just do a Project Zero type of disclosure.

            MoFo obviously didn't have a problem with the terms, so it's not going to be something against user freedom (say what you want about Rust and WebExtensions, they get the freedom part mostly right). But MoFo doesn't have an ongoing private relationship with intelligence agencies, and that's what they claim the issue is about, so it passes the smell test. n.b. Wikileaks is apparently leveraging one disclosure for another disclosure.

            • We can be quite sure Wikileaks isn't asking for anything for themselves for the disclosure (because they never have)

              Your honor, you can be quite sure I never killed that guy, because I never have.

          • Oh, boo hoo. Poor wikileaks put itself in a difficult position, then waffles on that position, then gets criticized for waffling.

            Fuck them.

      • "It could simply have been, we'll disclose this to you, if you promise not to sue us for posting it publicly after 90 days. That would be quite reasonable."

        lol Not a chance in hell. There's no case to sue if they go public with the vulnerabilities. They want something else.

    • by Anonymous Coward

      Did you not read the part where it says that nobody really knows what demands are being met? Given the past abuses of the CFAA, this could be something as simple as "you will not hold wikileaks responsible for the contents or means of finding the vulnerability information, nor will we be held accountable for the illegal means in which the information was gathered by the CIA". IANAL, but I'd guess that including such a clause would be wise, given the aggressive application of judicial power used against wi

    • by Clived ( 106409 )

      I agree, looks like we are starting to see Julian's true colours. He lost my support around the US election for bullshit like this. I am ashamed of you Mr. Ashange

    • Re:This is extortion (Score:4, Interesting)

      by Mephistophocles ( 930357 ) on Sunday March 19, 2017 @05:00PM (#54070257) Homepage

      This is extortion.

      No, it isn't. Extortion is defined as the use of force or threat to achieve a gain of some sort for the party threatening the use of force (i.e., I put a gun to your head and say "I won't shoot you if you give me $100, otherwise I will").

      It also isn't blackmail unless Wikileaks is attempting to achieve some sort of gain for themselves by threatening to release the information publicly unless these companies fail to pay them.

      In other words, if wikileaks isn't gaining anything (money etc) from this, it isn't extortion or blackmail. It's Wikileaks allowing the tech companies to fix the holes the CIA created before they release information about those holes to the general public - thereby possibly allowing the tech companies to save face. That makes sense, since it's quite possible that it's no fault of any of these companies that the CIA decided to completely trash their products in the name of spying on everyone. The damage is already done, in other words, and there's really nothing stopping Wikileaks from just telling the world what the damage is. It's kind of nice of them to give Microsoft etc some breathing room first, so that when they do release details on the damage done, they can also include information that shows these tech companies have already fixed the problems.

    • Uhh, did you actually read as far as the second paragraph of the article you're commenting on?

      "most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA."

      The information that Wikileaks has made available is still classified, even if it's public. If you work for an organisation that handles government contracts, and some of your employees have security clearances, then you can't receive classified information to help you fix an 0day, even if the classified information is now public. It was the same with the Snowden stuff, if someone had wanted to DoS everyone in th

    • Nope, this is not extortion nor blackmail, it is really trying to get a fix quickly and not letting companies screw their costumers, either by being lazy or by security agencies pressure

      If a company gets the bug report and then do not do anything for one year, what wikileaks can do ? release the info before the fix or wait more? either way, it is already too much time for a security bug that is being abused and in the end the info will be public with no one protected and in the end, it will always be wikile

      • I think this is totally logic, MS, Oracle and many other companies do not care about security or take way too long to release fixes...

        Actually it is quite possible to be critical about Wikileaks having demands. In principle at least. In practice Wikileaks is being smeared and attacked all day long and if they do not correspond to the highest standards they are regarded as evil. That is not realistic,Wikileaks can be very valuable even if it is very flawed. There are plenty of flaws around with the other pl

    • Wikileaks isn't obligated to fix your 0days for you. If you don't want the help, just do it yourself.
  • by Anonymous Coward

    n/t

  • I was not aware that prioritizing customers over government contracts was a practice that only European companies were capable of. Doesn't having government contracts mean that the government is your customer? How exactly is that supposed to work? Maybe Assange meant to say "may prefer organizations such as Mozilla or European companies that prioritize their users over United States government contracts."

  • This just in (Score:2, Insightful)

    Assange fighting to stay relevant by any means possible. News at 11.

    • Re:This just in (Score:5, Insightful)

      by bug1 ( 96678 ) on Sunday March 19, 2017 @04:34PM (#54070201)

      More news is coming in;

      Person complains that a small group of freedom fighters arent fighting hard enough to protect their interests, suggests they should try harder.

      They further complain about having to get out of bed, suggesting someone else should do it for them.

      • Re:This just in (Score:4, Insightful)

        by Anonymous Coward on Monday March 20, 2017 @02:48AM (#54071837)

        Wait, are you saying Assange is a freedom fighter?

        So why is he in bed with authoritarians like Putin, Farage, and has engaged in mutual praise with Trump? Even if you believe there's no official connection then Assange is a regular on Russia's state propaganda channel RT, has met up with Farage in the Ecuadorian embassy:

        https://www.rt.com/tags/the-ju... [rt.com]

        https://www.theguardian.com/co... [theguardian.com]

        You have a funny definition of freedom if it means support and praise of people who back things like elimination of civil liberties, strict control of speech, elimination of equality, and convergence towards dictatorship.

        Assange is the last person I'd want fighting for my freedom, because he doesn't believe in freedom, he believes in absolute rule by only those who he personally agrees with and is trying to support that using Wikileaks.

        • Re:This just in (Score:4, Interesting)

          by orzetto ( 545509 ) on Monday March 20, 2017 @09:16AM (#54072991)

          You have a funny definition of freedom if it means support and praise of people who back things like elimination of civil liberties, strict control of speech, elimination of equality, and convergence towards dictatorship.

          You have a funny definition of freedom yourself if you think that it means developing and collecting techniques to use your personal electronics as spies for the government. Whatever Assange's relation to the Kremlin may be: on this specific issue they are fighting for your and my freedom with much more impact than any soldier ever had in the past 70 years.

          Assange [...] doesn't believe in freedom, he believes in absolute rule by only those who he personally agrees with [...]

          According to a 2011 interview with Forbes [forbes.com], Assange is some sort of libertarian. Now I tend more to what is called socialist in the US, and believe little in trickle-down economy and market shenanigans, but you are describing a fascist, which Assange has never given any reason to believe he is. On the other hand, the people who "believe in absolute rule" are also those who collect and use the hacking tricks used by the CIA. So what kind of fascist would ever disarm the brown shirts?

    • Anything that anyone does can be dismissed in this way.

  • For all we know, the CIA might have written deliberate vulnerabilities to be patched into production code. Either that, or maybe they bullied software companies into ignoring certain vulnerabilities that would otherwise be fixed. Considering how many tech companies have been enlisted by big-government and how many cover stories have been busted, nothing can surprise me anymore.

    • I see it this way. A vulnerability is found and an exploit is written. As time passes several things happen. The exploit gets distributed because of outsourcing and after a while there really are a lot of people who know about it. Other people also find out about the vulnerability. Some day software maker finds out and the bug is no longer zero day but the exploit will still work on unpatched systems so it sticks around until something much better replaces it.

      As for the software company itself,I suspect mos

    • by AHuxley ( 892839 )
      A few 100 to 10's per year per product cycle? It depends on the average price and the clandestine budget for buying on the open market per year.
      Say a budget range for a good exclusive deal per zero day for a new OS or device in the 100 of apps/code/access products?
      Thats the positive side that still looks corporate. Its hard to tell who is buying in the mix of buyers globally.
      A flood of gov/mil cash in the wild would stand out even with a lot of US/UK front companies every y ear doing the malware buying
  • by Anonymous Coward on Sunday March 19, 2017 @04:21PM (#54070159)

    simply can't commit to timelines. Most of my friends that worked there have either been laid off or quit due to ridiculous hours or vacation inequality, so their best programmers are no longer there. They simply can't fix problems in a timely manner any longer.

  • Fuck Wikileaks (Score:5, Interesting)

    by DogDude ( 805747 ) on Sunday March 19, 2017 @05:02PM (#54070265)
    Fuck Wikileaks. I initially supported what they were trying to do, but they've proven to be complete assholes.
  • It's clear that the terms aren't unreasonable and likely for the common good if the only not-for-profit (Mozilla) has already agreed to the conditions
  • We talk about leaked classified material that remains classified. Does it qualify as a federal crime to accept it?
  • Why secret? (Score:4, Interesting)

    by CanEHdian ( 1098955 ) on Monday March 20, 2017 @06:08AM (#54072221)
    Anyone able to explain why these agreements/demands are SECRET? There should be ("industry standard"?) nothing stopping WL from publishing them. In the interest of transparancy.
  • Or anyway those who don't have a simplistic, easily-probed agreement or other conflict of interest with classified U.S. three-letter agencies. This criteria changes exactly nothing.

    Beware the false prophets. Ineffective activism is exactly equivalent to doing nothing at all.

"Lead us in a few words of silent prayer." -- Bill Peterson, former Houston Oiler football coach

Working...