Slashdot Mirror
Hey CIA, You Held On To Security Flaw Information -- But Now It's Out. That's Not How It Should Work (eff.org)
Cindy Cohn, writing for EFF: The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices -- including Android phones, iPhones, and Samsung televisions -- that millions of people around the world rely on. The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we're all made less safe by the CIA's decision to keep -- rather than ensure the patching of -- vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.
Is it the CIA's responsibility to point these out? How many "flaws" are intentional?
The NSA is supposed to help and disclose vulnerabilities to the US at the evry least, rather than exploit them. The CIA on the other hand has no such goal, and the sole reason to search vulnerabilities is to exploit them onto every other countries.
The CIA doesn't have the interest of the American public. They're used to committing illegal acts to get things done. Look up Iran Contra.
The problem is there are those in the CIA that have gotten "in too deep". It's as if, we are all now pawns on the board, ready to be sacrificed for the greater good.
Right, so when the CIA/NSA/whatever, uses a vulnerability that gives them access to information -- that it is their reason for existing, they should immediately turn the vulnerability over to the device manufacturer so that they will patch it.
Because these agencies exist and are financed to perform vulnerability testing for Apple/Google/Microsoft/HP/Dell/ZTE/Huawei/etc!?!?
Methinks that anyone that can say "that's not how it should work" with a straight face can only be a lawyer, habituated to defining truth as "whatever best serves me/my client".
We cannot be appalled by the lies of people like Trump and at the same time accept it when people who are say that they are defending us from his and other deceptions are also lying to us.
EFF, this does not help as it only gives Trump et all more ammunition.
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
Just so long as you keep writing those tax checks to fund them, anyways.
Doesn't it defeat the entire purpose of intelligence gathering operations to inform targets of your means & methods so... they can... stop you?
nt
If you think that coming up with ways to assassinate people is worthy work, then your mind is warped.
That some of the exploits they decided to hang onto, were actually malware code samples that would allow them to attribute attacks to foreign governments. When in fact they had nothing do to with said attack. In addition to this, they appear to have held onto exploits for vehicle control systems, that would allow them to ASSASSINATE people without detection. This is CERTAINLY NOT what they were hired to do. Not by any of the US citizens/agents that I know anyway. These are EXPOSED Black Ops Projects, by any other definition. Its time that someone unbiased investigated the CIA/NSA... They clearly are into some things they shouldn't be. Things that are CLEARLY ILLEGAL...
You know that reason they have for existing? Yeah. People are trying to say that it's a trashy reason for existing. Get it yet?
Their job is to stop Mohammed from blowing up your children. If they have to refrain from disclosing a few security vulns they didn't even create in order to do that, so be it.
It looks to me like the list of CIA hacking tools is a list of vulnerabilities that we already knew about and have been discusssing since forever, and it's hardly just the CIA that's been taking advantage of the environment.
And it also looks like a list of vulnerabilities that the vendors all know about and we've all been complaining about.
Soooo why exactly should the CIA tell Apple "we have an evil app that intercepts messages before encryption" when Apple and everyone else who's been paying attention already knows about these apps. Should the CIA have meetings with every half-assed IOT vendor to tell them that their device is a POS and hiw the CIA takes advantage when we and they all know this already?
"Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans." It is? News to me. Please cite the applicable Federal Legislation and Regulations. Or is this just some silly juvenile opinion of someone who doesn't know what the CIA does nor understand why they do it? See, life is full of compromises, and there's these things called "priorities". Last I heard physical threats rank somewhat above privacy threats in that list. Only juveniles believe as if we can have it all.
http://www.news.com.au/finance...
So obsessed with the letter of the mission statement, that you forget its spirit. Subjects you were meant to serve become means, and disposable resources in achieving goals that no longer serve their purpose, as the cost outweighs benefits by way too much.
CIA was created to protect safety of USA citizens. It got specific goals and means by which it would serve in that mission, and focused on them so much the mission went entirely out of focus. Collateral damage is no longer considered an issue. No matter how much CIA hurts and weakens the USA, it considers the actions a success if the "enemy" (actual or potential) is weakened in the process.
It's silly to expect a spy agency to obey the law and play always fair. But whatever it does, no matter how nefarious and slimy, it should always put the good of its citizens first. And it's ridiculous to expect whatever they might have gained through holding to these exploits outweighs the losses of the public caused by the non-disclosure. CIA no longer serves USA. CIA just serves goals of CIA, and if means to these goals conflict with the good of USA, so be it, USA be damned.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.
The CIA's website says "CIA’s primary mission is to collect, analyze, evaluate, and disseminate foreign intelligence to the President and senior US government policymakers in making decisions relating to national security".
It seems pretty clear that they are focused on gathering information relating to US national security... it says nothing about protecting private individuals information. I can guess that they will claim to have weighed up the threat to private individuals vs the intelligence gathering advantages of not disclosing these vulnerabilities. I'm not saying I agree with this sentiment, but I don't think this exposes the CIA to the extent that the article suggests.
...Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.
Section 202 of the National Security Act of 1947 established the CIA, and nowhere in the charter does it state it's their responsibility to protect the privacy of Americans.
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
The CIA should definitely make sure every security hole is filled so they cant spy anymore.
That's why England called Hitler and told him we broke the engima code thing... you know, see he could patch it.
.... And if the CIA has to run a false flag operation that blows up your children, then at least know that they died to weaken your enemy that wants to blow up your children... that are already blown up.
If telephones are outlawed, then only outlaws will have telephones.
"I'm here to help you - I'm Reese Sgt. TechCom DN38416 assigned to protect you" via APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ "you've been TARGETTED for TERMINATION!"
Shields vs. threats & gains speed (others slow you). Does more 4 less vs. illogical "Bolt on 'MoAr' so-called exploitable 'security solutions'" using more doing less (dns/antivirus/addons)
"That terminator is out there: It can't be bargained with. It can't be reasoned with. It doesn't feel pity, remorse, or fear & it absolutely will not stop EVER (until U R DEAD)"
Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/
P.S.=> "It's a HYPER-ALLOY Combat Chassis - Microprocessor controlled: FULLY armored, VERY tough!"
VIRUSPROOF (every function checks vs. alteration)... apk
It is the job of the CIA to collect intelligence. Central Intelligence Agency, right there in the name. It's not their job to post software patches.
I think what Cindy Cohn meant was "it would sure be nice if the CIA had let us know about the problems rather than keep them secret", and I agree that would have been awfully nice of them - but wanting the CIA to reveal tactical information that helps it do its job is silly.
They're a spy agency, folks. This is what spies do.
Weaselmancer
rediculous.
Fine, let me see what I can do
I think there are new videos on this as well
I've been seeing this code pop up all over, the last few weeks. It's Alliance, and it's high military.
Every government intelligence agency holds on to flaws and exploits.
Spin the globe put your finger on a random country and ask their intelligence agency to divulge their trove of security flaws and exploits. See how far that gets you.
"The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices -- including Android phones, iPhones, and Samsung televisions -- that millions of people around the world rely on."
This is EXACTLY what I would expect of them. This is how they gain their advantage.
No sane person would ever expect the CIA/NSA/FBI to announce that they found a security vulnerability. It would be like a burglar announcing to a home owner that he found an unlocked door.
Just cruising through this digital world at 33 1/3 rpm...
The Vulnerabilities Equities Process doesn't have a mandate to disclosure, merely to determine if they should disclose or keep it for use. The EFF explains it:
EFF filed a lawsuit under the Freedom of Information Act in 2014 to get access to the government's "Vulnerability Equities Process" (VEP), the policy it uses to decide whether to disclose information about security vulnerabilities or instead withhold this information for its own purposes, including law enforcement, intelligence collection, and "offensive" exploitation.
EFF v. NSA, ODNI - Vulnerabilities FOIA"
The EFF has a heavily redacted copy of the policy the key statement in there is "When a decision is made to disseminate..."
I'm a consultant - I convert gibberish into cash-flow.
See subject: There's a war for your mind employing std. psyop mechanics & marketing "jump on the bandwagon" psych tactics - that said?
THE "POWERS THAT BE" ARE USING YOUR OWN MIND AGAINST YOU... people feel safer in 'groups' being on the 'winning team' so they have to make it appear they have 'more people' & 'you are outnumbered & surrounded' via the creation of the ILLUSION of "mass consensus" (happens all the time on forums like /. - sockpuppets & FAKE NAME (multiple accounts) for FAKE LIVES users (like you BOY)).
They KNOW they don't have the military (the ultimate enforcer of law, using violence & GUNS they won't let YOU have or don't want you to rather) so the IMF/CFR/Trilateral Commission swine ran to DAVOS switzerland (home of their banks or a major hub) to TRY get 'muscle' via the Chinese (who are intelligent, trust me, & see RIGHT thru their asses & WILL play them in the end).
They keep getting caught in lies etc. in MainStreamMedia FAKE NEWS too - they're losing & couldn't even win a rigged election (they're bs'ing themselves & DESPERATE).
APK
P.S.=> See subject - they THINK people are stupid cattle - talk "social disconnect" bullshitting themselves (rather their dupes/cronies/sycophants/bootlickers who THINK "the master will protect a 'good dog' like me", bs, SOROS sold his OWN JEW PEOPLE into death as a counter-example proof of what REALLY happens - why? DIRTY birds of a feather - they know their "own kind" that would slice the balls off the masters to BE the masters)... apk
No, we're not - not in any meaningful way. Unless the CIA begins giving or selling these exploits to someone else they are, for all intents and purposes, exploits which do not exist in the wild. We are almost exactly as safe as if the exploits had never been found.
I say "almost" because there is a chance that such knowledge is made public, such as by Wikileaks, which makes us temporarily unsafe until the holes are patched. There is also a chance that an operator might discover the exploit code and reverse-engineer it to determine the exploit. The chance of the latter is likely as high as finding the exploit from scratch, so there's no real net change in safety. Essentially, someone like wikileaks is actually the most dangerous condition in this chain, as a mole who releases information to the public [illegally] creates a zero-day event.
Jesus y Maria! They just handed you a plethora of valuable information and you still find time to bitch about about. Fucking bozo.
Why is that? They aren't a law enforcement agency. There are all sorts of crimes the CIA becomes aware of they are indifferent too.
...by the asshat leaking classified documents.
Blue team discloses all of their discovered vulnerabilities; red team hangs on to their discovered vulnerabilities. Guess who wins? Red team. There's a negative incentive at work here.
CIA is leasing them.
It is the same wink and nod that fouls poor Theo de Radt until he found where one of his co-developers contracted a vulnerability. I'm aware of one security firm that sells exploits top-dollar to agencies of government around the world and his personal team were at the forefront of DefCON wowing entrants:
lookup Gary Storer around either Redondo or Hermosa.
That sequence of characters activates a backdoor so that Russian Intelligence can install a rootkit on your computer. HTH.
Dude, that's HORRIBLE! Somebody should invent UEFI so there would be a way to disable it in a UEFI configuration!
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
It is how it works when you consider the CIA as a state-sponsored criminal group.
Journalist Michael Hastings Was Investigating CIA Director John Brennan Before He Was Killed in Fiery Car Crash
http://www.news.com.au/finance...
Some of us have been saying that for a long time. I work in security in the auto industry. The vehicle Michael Hastings was driving has throttle-by-wire. The Mercedes C-class has a feature called ADAPTIVE BRAKE which sounds like it needs brake-by-wire. If you've got by-wire control of throttle and break, a sophisticated attacker (like the CIA or NSA) could mostly likely cause a crash like the Michael Hastings crash.
Looks like APK is off his meds again, or the institution let him on the internet. again.
Time to offend someone
It is the responsibility of US spy agencies not to violate the security and privacy of Americans; it is not their responsibility to fix security and privacy problems domestically.
You're probably confused because sometimes spy agencies say "in our operations, we protect the security and privacy of Americans", but that's in the same sense of "when we ship glass, we protect it from breaking", not "we protect all American glass from breaking ever".
You'd have to physically modify the car to kill someone in anything other than a sudden lane switch into an oncoming car.
Every other scenario in a pure software hack setting is defeated by putting the car into neutral and pulling the parking brake. The electronic systems control neither of those things.
So they are guilty. The NSA are guilty. The FBI are guilty. The whole government is guilty. And all I see is a lot of people discussing it and no action taken.
If I as a kid stole a cookie and my mom told me of and I stole another one and still nothing happened, why would I stop stealing the cookies? They are great tasting cookies.
As long as there are no consequences, except for some whining, why would they NOT do it? You can discuss it among yourselves, but they do not care.
Don't fight for your country, if your country does not fight for you.
...intelligence documents? Just asking.
I have no problem with our intelligence agencies keeping tools and means to hack.
I DO HAVE a problem when they're used against American citizens and even used to murder them without a trial.
Our government should be doing everything it can to PROTECT us against China, Russia, etc. It should not be treating >us like antagonists to be targeted and crushed. It's time we stop treating our citizens like "criminals in the making".
the CIA's "responsibility" is doing whatever is asked for by Our Government (tm) against foreign threats. Unfortunately some time ago that became doing whatever "needs to be done" even against Americans at home.
its mandate was never supposed to be doing anything *internal* at all, that's why we have the FBI and Secret Service. But now everyone's got interests in everyone else's area of responsibility, and that's bad for everyone.
To quote a relevant Sneakers movie quote in regard to CIA's responsibility to "keep Americans safe" from bugged software: "We are the United States Government! We don't do that sort of thing."
Neither does anyone else's intelligence network.
1. Wikileaks is an anti-U.S. organization.
2. Think about what would have happened to someone like Manning in Russia or China. He and his entire family would have been gruesomely executed.
The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process.
This is the same group of idiots that are largely responsible for polio still being around (citation below). Failing to accurately assess risk and shortsighted thinking are nothing new to these folks.
Citation:
https://www.scientificamerican...
Seriously does anyone take EFF seriously ? Put on your big boy pants and learn how the real world works, no one in government is in computer security for altruistic reasons and gives 2 shits about making other people more secure, they just want information to give them more power.
And yet you seem to be able to prove my point time and time again with your delusions, non-sequiturs, circular arguments, incoherent ravings, and general paranoia. Although I should have know it wasn't you who made that post even though the author does a pretty good job of copying your /. style as you do claim credit for your mad ravings. It is also rather entertaining to bait you and then just stop responding once the rise has been gotten like I am going to do now.
Time to offend someone
The problem is not that a CIA is spying, or keeping secrets. The problem is that with great power comes great responsibility.
For every institute that is allowed to do things regular people may not, there is an oversight system by the people granting this special power. What happened here, is that such oversight is in place for the NSA (but clearly not enough), the congressional oversight on the CIA is much more limited and does no longer match the powers they granted themselves.
Unfortunately most of the responses lack this fundamental issue, and focus on childish points of view like 'gubment is full of spying bastards!!' or the other extreme 'spying is what they are for in the first place, let them do their job, no oversight needed'.
Their remit isn't to attack vulnerabilities of systems of foreigners, but to ensure that US citizens are protected from being likewise attacked by foreign aggressors. And by leaving these systems vulnerable when they knew there was a vulnerability they ensure that the people in the USA using these items are insecure from foreign agents.
Given that these items are not US government products they cannot be fixed without disclosing the vulnerability to the private company (quite possibly foreign) that the vulnerability exists to fix.
Being able to use them to attack foreigners is only a replacement for their ACTUAL remit when in times of declared war.
But slashdot being infested by merkins mostly describes the problems of the USA from a USA centric perspective. Go to WL and look up the document releases. And you will find one for Russia or China quite easily. Ergo, the answer to your petulant whinge is "They do, you just never bother to remember"
You'd have to physically modify the car to kill someone in anything other than a sudden lane switch into an oncoming car.
What evidence do you have that physical access would be required?
This is a The Mercedes C-class with a cellular modem built into it with full access to the CAN bus and by-wire system.
That's like claiming an Internet connected server absolutely requires physical access to break into, a claim that has been proven false time and time again.
Every other scenario in a pure software hack setting is defeated by putting the car into neutral and pulling the parking brake. The electronic systems control neither of those things.
The electronic control system absolutely has control over the breaks. It must, since the peddle is nothing but a switch and the breaks are controlled electronically. It would be impossible to apply the breaks and stop without the electronic control system.
The same is true for the accelerator, and the transmission controller.
Being physically in the car it would be impossible to put the transmission in neutral once the computer was instructed to ignore the input channel from the gear shift switches, and it would be impossible to break once the computer was instructed to ignore the input channel for the break peddle.
Even steering can be by-wire. I don't personally know if the C-class uses that or not, but there is no reason to make any assumptions either way.
By-wire and physical shaft steering are both things that exist and that Mercedes can choose which to avail themselves of.
See my subject Bob the Super WEASEL behind a FAKE NAME online for your FAKE LIFE sockpuppet that you are w/ no balls:
I'm pretty sure we all knew "Bob the Super Hamster" wasn't actually his real name. Just sayin'
Socialism: a lie told by totalitarians and believed by fools.
Is this the 15th century? You think calling someone a fatherless bastard has him crying?
I do get worried that you are not supervised. Or, if you are, they are doing an absolute shit job.
Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.
"Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.
Since 2001 the CIA has gained political and budgetary preeminence over the U.S. National Security Agency (NSA). The CIA found itself building not just its now infamous drone fleet, but a very different type of covert, globe-spanning force — its own substantial fleet of hackers. The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities.
https://wikileaks.org/ciav7p1/
APK is not known for intelligence or insight.
First you say majority of and then you say entire. Dishonest people can be safely ignored.
Then Bob the super hamster must be retarded because apk made bob eat his words https://it.slashdot.org/commen...
There is more ocean-front property on Georgia than Arizona.
I take it the CIA and FBI aren't friends.
They want security backdoors. They can't even keep the Zero Day exploits they have on file secret. Yet they absolutely, positively, pinky-swear that they will keep those built-in security backdoors secret!
I don't think they can even keep the secret of the CIA Director's executive bathroom. You know, the one with the gold-plated sinks, the ivory faucet handles (made with 100% illegal elephant tusk ivory!), the tiger skin rug on the floor, and the convex mirrored ceiling so the Director can look up and declare their mastery of the Universe. Everything looks bigger in a convex mirror.
But it's a chicken-and-egg question in many ways.
The CIA is in possession of exploits that they use to gather intelligence from legitimate targets, such as enemy/rival states and actors (Russia, PRC, etc). Gathering intelligence from the enemy is very much a legitimate course of action.
Yet by holding off on publishing data on, or notifying software vendors of those same exploits, the CIA (in this case) has left the common citizen and their devices vulnerable from being exploited by their enemy (enemies), by the rogue actors in the intelligence community, and all the rogue actors in other agencies that the CIA is sharing their exploit data with—think CBP and ICE who do not care about the privacy of anyone.
In this case, Apple appears to be the most forthright about its response, while Google and Android phone makers are the laziest in updating their software. Perhaps now with the exception of Nokia.
Dear The Hoi Polloi,
We'll do what we want. What are you going to do about it?
Yours (up the a$$),
The CIA.
Dude, you are delusional. The link you provided embarrasses you for being incorrect and then going off the rails. You are not properly informed because you think you're the hosts file saviour of the world and don't know fuck all about the rest of the world.
I don't know why you isolate Samsung for particular attention.
Any electronics, with any operating system, especially those with "normal" OTA updates, is vulnerable.
And always has been.
So was the case with many analog technologies too, the authorities could listen into a hard phone line without it ringing.
The fucking panic because people suddenly realise what nerds have always known.
Surveillance is pervasive, and you CAN NOT TURN THE FUCKING STUFF OFF.
Larry was right: you have no privacy - get over it.
"APK doesn't seem to know much about securing systems because if he did he would understand the defense in depth philosophy" - by Bob the Super Hamste ( 1152367 ) on Monday January 30, 2017 @08:44AM (#53765191)
Bob is quoted & WRONG - I've done layered security/defense in depth for DECADES which guides on it I wrote GOT ME PAID for it & CIS Tool (highly esteemed) took fixes from me for https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/
* EAT YOUR WORDS you lying loser!
APK
P.S.=> Of course I know it's YOU Bob the Super Hamster (weasel is more like it) LYING & posting unidentifiably + trying to "downmod hide" where I prove you wrong quoting you = weak too per my subject https://yro.slashdot.org/comments.pl?sid=10339099&cid=54006365/... apk