Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hey CIA, You Held On To Security Flaw Information -- But Now It's Out. That's Not How It Should Work (eff.org)

Posted by msmash on from the is-it-worth-the-sacrifice dept.

Cindy Cohn, writing for EFF: The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices -- including Android phones, iPhones, and Samsung televisions -- that millions of people around the world rely on. The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we're all made less safe by the CIA's decision to keep -- rather than ensure the patching of -- vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

6 of 246 comments (clear)

  1. CIA is a spy agency that breaks the law. by Anonymous Coward · · Score: 4, Interesting

    The CIA doesn't have the interest of the American public. They're used to committing illegal acts to get things done. Look up Iran Contra.

  2. Did CIA kill Mike Hastings by controlling his car? by schwit1 · · Score: 5, Interesting
    Journalist Michael Hastings Was Investigating CIA Director John Brennan Before He Was Killed in Fiery Car Crash

    http://www.news.com.au/finance...

  3. Re:Who's Responsibility? by ThomasBHardy · · Score: 5, Interesting

    While I find the abusive techniques being reported as abhorrent as the next fellow, I would challenge the assertion that it's their job to disclose security issues.

    I'm not saying that they morally are not obligated. They are morally obligated to do so, in my personal opinion, to maintain the general fabric of security for the country.

    But I'm not so sure that they have a legal obligation to do so.

    There are some pretty convincing cases where they could argue that an obscure exploit can be disclosed and upgrade the digital security of the nation by 0.01% or they could hold onto it and use it to help prevent specific bad actors with big plans.

    So yes, while I'd like to think we're all above board and working towards a bright shiny future with full disclosure, I'm not sure that the charter for agencies running covert ops lists vulnerability disclosure as their operational mandate.

    --
    Warning: Teh poster of this messaeg is lysdexic
  4. Re:That's not how it "should" work by moeinvt · · Score: 3, Interesting

    Do they really "exist" to gather information, or is gathering information just one tactic that they use as part of a larger mission? I'd argue that the only reason for their existence, or the existence of government in general, is to serve The People. Don't they repeatedly justify their activities by the claim that they're doing us a service?

    Suggesting that the intelligence agencies exist purely for information gathering is the same as saying that the military exists purely to blow things up and kill people. They're good at doing that, but they do it in pursuit of a particular mission. "Invade and Occupy Iraq and find all the WMDs" for example.

    If the mission of the intelligence agencies is to serve The People who pay the taxes and from whom the government derives its just power, they are doing us a disservice because we're not only vulnerable to THEIR information gathering, but vulnerable to anyone else in the world who figures out how to exploit same vulnerabilities.

  5. Re:Who's Responsibility? by T.E.D. · · Score: 4, Interesting

    Correlating and evaluating intelligence related to the national security and providing appropriate dissemination of such intelligence;

    "intelligence" is government-speak for information they took from someone. If your desk safe has a factory combination that always works, that isn't "intelligence". The contents of what they found inside your safe when they used that combo is intelligence.

    So no, its not their job to warn US citizens if they are vulnerable domestically. That's called "domestic counter-intelligence", and is explicitly the FBI's job.

    Sure, it would be nice if the CIA did it anyway. But if that burns a method they are finding useful themselves to do things that ARE their job, I wouldn't hold my breath.

  6. Re:Who's Responsibility? by AmiMoJo · · Score: 4, Interesting

    They knew that Samsung TVs could be used to spy on people via their cameras and microphones. Samsung TVs are quite popular. It's likely that they are in sensitive places, like meeting rooms of US corporations, hospitals, newsrooms etc. And in all likelihood, the Russians and the Chinese and the Iranians and the North Koreans and GCHQ and many other intelligence agencies know all this too. I wouldn't be at all surprised if for-hire black hats knew as well.

    So the CIA has a choice. Sit on this information and use it to gather intel themselves, but leaving the US at severe risk, or publish and give up their capability but also deny it to their adversaries. They must have either decided that the intel was more valuable than the loss to US citizens and corporations, or more likely never even had this discussion.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC