Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hey CIA, You Held On To Security Flaw Information -- But Now It's Out. That's Not How It Should Work (eff.org)

Posted by msmash on from the is-it-worth-the-sacrifice dept.

Cindy Cohn, writing for EFF: The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices -- including Android phones, iPhones, and Samsung televisions -- that millions of people around the world rely on. The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we're all made less safe by the CIA's decision to keep -- rather than ensure the patching of -- vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

8 of 246 comments (clear)

  1. I don't agree by Anonymous Coward · · Score: 2, Informative

    The NSA is supposed to help and disclose vulnerabilities to the US at the evry least, rather than exploit them. The CIA on the other hand has no such goal, and the sole reason to search vulnerabilities is to exploit them onto every other countries.

  2. Old stuff by clovis · · Score: 4, Informative

    It looks to me like the list of CIA hacking tools is a list of vulnerabilities that we already knew about and have been discusssing since forever, and it's hardly just the CIA that's been taking advantage of the environment.

    And it also looks like a list of vulnerabilities that the vendors all know about and we've all been complaining about.
    Soooo why exactly should the CIA tell Apple "we have an evil app that intercepts messages before encryption" when Apple and everyone else who's been paying attention already knows about these apps. Should the CIA have meetings with every half-assed IOT vendor to tell them that their device is a POS and hiw the CIA takes advantage when we and they all know this already?

  3. Re:Who's Responsibility? by thegarbz · · Score: 5, Informative

    Says the CIA on their about page under responsibilities of the director.

    Correlating and evaluating intelligence related to the national security and providing appropriate dissemination of such intelligence;

  4. Not their job by jbrown.za · · Score: 4, Informative

    Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

    The CIA's website says "CIA’s primary mission is to collect, analyze, evaluate, and disseminate foreign intelligence to the President and senior US government policymakers in making decisions relating to national security".

    It seems pretty clear that they are focused on gathering information relating to US national security... it says nothing about protecting private individuals information. I can guess that they will claim to have weighed up the threat to private individuals vs the intelligence gathering advantages of not disclosing these vulnerabilities. I'm not saying I agree with this sentiment, but I don't think this exposes the CIA to the extent that the article suggests.

  5. I call Bullshit by mandark1967 · · Score: 4, Informative

    ...Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

    Section 202 of the National Security Act of 1947 established the CIA, and nowhere in the charter does it state it's their responsibility to protect the privacy of Americans.

    --
    Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
  6. VEP doesn't mandate disclsoure by Registered+Coward+v2 · · Score: 3, Informative

    The Vulnerabilities Equities Process doesn't have a mandate to disclosure, merely to determine if they should disclose or keep it for use. The EFF explains it:

    EFF filed a lawsuit under the Freedom of Information Act in 2014 to get access to the government's "Vulnerability Equities Process" (VEP), the policy it uses to decide whether to disclose information about security vulnerabilities or instead withhold this information for its own purposes, including law enforcement, intelligence collection, and "offensive" exploitation.

    EFF v. NSA, ODNI - Vulnerabilities FOIA"

    The EFF has a heavily redacted copy of the policy the key statement in there is "When a decision is made to disseminate..."

    --
    I'm a consultant - I convert gibberish into cash-flow.
  7. Re:Their job? by godrik · · Score: 4, Informative

    Challenge accepted. In the last 10 years:
    -Malala Yousafzai is a nobel peace prize winner and she is from pakistan. https://www.nobelprize.org/nob...
    -Aziz Sancar was born and educated in turkey (difficult to tell whether he is of muslim faith or not, but he was probably at least raised in that culture) and is a chemistry nobel prize recipient.
    -Maryam Mirzakhani was born and educated (up to bachelor) in Iran and received a Fields medal.

  8. Re:Who's Responsibility? by jbolden · · Score: 1, Informative

    National security not personal security. Not the same thing.