Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hey CIA, You Held On To Security Flaw Information -- But Now It's Out. That's Not How It Should Work (eff.org)

Posted by msmash on from the is-it-worth-the-sacrifice dept.

Cindy Cohn, writing for EFF: The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices -- including Android phones, iPhones, and Samsung televisions -- that millions of people around the world rely on. The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we're all made less safe by the CIA's decision to keep -- rather than ensure the patching of -- vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

136 of 246 comments (clear)

  1. Who's Responsibility? by ISoldat53 · · Score: 5, Insightful

    Is it the CIA's responsibility to point these out? How many "flaws" are intentional?

    1. Re:Who's Responsibility? by Anonymous Coward · · Score: 5, Insightful
      Did you not read the summary?

      Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

      It's their job.

    2. Re:Who's Responsibility? by phayes · · Score: 2

      Says who?

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    3. Re:Who's Responsibility? by goombah99 · · Score: 4, Insightful

      It's like how when the CIA discovers a Russian General has a secret to hide they never black mail him but immediately notify the Russian Authorities of their vulnerability.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    4. Re:Who's Responsibility? by rmdingler · · Score: 2

      Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

      Security yes... abroad. Privacy: not so much.

      The CIA has been historically responsible for international operations, including spying in and on foreign nations. The FBI is supposed to do those things inside the country.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    5. Re:Who's Responsibility? by nomadic · · Score: 2

      Pretty much. This story makes zero sense. The CIA didn't just happen to find security flaws, they intentionally looked for them so they could exploit them.

    6. Re:Who's Responsibility? by ThomasBHardy · · Score: 5, Interesting

      While I find the abusive techniques being reported as abhorrent as the next fellow, I would challenge the assertion that it's their job to disclose security issues.

      I'm not saying that they morally are not obligated. They are morally obligated to do so, in my personal opinion, to maintain the general fabric of security for the country.

      But I'm not so sure that they have a legal obligation to do so.

      There are some pretty convincing cases where they could argue that an obscure exploit can be disclosed and upgrade the digital security of the nation by 0.01% or they could hold onto it and use it to help prevent specific bad actors with big plans.

      So yes, while I'd like to think we're all above board and working towards a bright shiny future with full disclosure, I'm not sure that the charter for agencies running covert ops lists vulnerability disclosure as their operational mandate.

      --
      Warning: Teh poster of this messaeg is lysdexic
    7. Re:Who's Responsibility? by thegarbz · · Score: 5, Informative

      Says the CIA on their about page under responsibilities of the director.

      Correlating and evaluating intelligence related to the national security and providing appropriate dissemination of such intelligence;

    8. Re:Who's Responsibility? by Opportunist · · Score: 4, Insightful

      It's the CIAs job to protect Americans and keep them safe. Its job also includes protecting the US' trade secrets and commercial interests. And that by definition entails making sure that enemies of the US, be it military or economic, cannot abuse security problems that may affect US interests.

      In other words, yes, pointing those security flaws out to manufacturers and making sure that these flaws cannot be abused by enemies of the US and its assets is pretty much the definition of the CIA mandate.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    9. Re:Who's Responsibility? by Archtech · · Score: 1, Insightful

      It's like how when the CIA discovers a Russian General has a secret to hide they never black mail him but immediately notify the Russian Authorities of their vulnerability.

      That's logical, because Russia - like the USA - is the CIA's enemy.

      --
      I am sure that there are many other solipsists out there.
    10. Re:Who's Responsibility? by Opportunist · · Score: 1

      As long as commercial interests and hence the national security interests and hinge to no small part on the economic stability and power of the US use the same tools that private citizens use, protecting our privacy is basically collateral damage of protecting the US national security.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    11. Re: Who's Responsibility? by Anonymous Coward · · Score: 1

      George? Is that you?

    12. Re: Who's Responsibility? by chasm22 · · Score: 2

      And, in your mind, there will never be any problem deciding what is appropriate?

      It seems to me to be a typical document meant to cast an 'appropriate' image of an agency whose very nature makes it impossible to easily explain its actions.

      I find this action by Wikileaks to be disturbing by its timing. The contents shouldn't be a total surprise.

      There's been plenty of hints going back years. In 2003 we had OnStar versus the FBI. A couple of years ago Verizon tried to patent an invention that made your TV both a display and a video cam.

    13. Re:Who's Responsibility? by gnick · · Score: 2

      Correlating and evaluating intelligence related to the national security and providing appropriate dissemination of such intelligence;

      The definition of the word "appropriate" makes all the difference in that statement. Is it "appropriate" to sacrifice capabilities in the name of improving the public's general digital security?

      --
      He's getting rather old, but he's a good mouse.
    14. Re:Who's Responsibility? by Stephan+Schulz · · Score: 2

      I cannot resist. "In Soviet Russia, TV watches you." More seriously, it looks like 1984 was a documentary...

      --

      Stephan

    15. Re: Who's Responsibility? by Impy+the+Impiuos+Imp · · Score: 3, Insightful

      Thb they would probably argue they are protecting the safety of US citizens by maintaining a spy capability. That is their job, not turning over those same vulnerabilities.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    16. Re:Who's Responsibility? by T.E.D. · · Score: 4, Interesting

      Correlating and evaluating intelligence related to the national security and providing appropriate dissemination of such intelligence;

      "intelligence" is government-speak for information they took from someone. If your desk safe has a factory combination that always works, that isn't "intelligence". The contents of what they found inside your safe when they used that combo is intelligence.

      So no, its not their job to warn US citizens if they are vulnerable domestically. That's called "domestic counter-intelligence", and is explicitly the FBI's job.

      Sure, it would be nice if the CIA did it anyway. But if that burns a method they are finding useful themselves to do things that ARE their job, I wouldn't hold my breath.

    17. Re: Who's Responsibility? by Anonymous Coward · · Score: 4, Insightful

      The problem with not having this released by Wikileaks is that until now, the people who claimed this capability existed were labeled as paranoid conspiracy theorists. Same thing with Snowden's leaks. I saw a column in the USA Today just now that said Americans don't need to worry because the CIA doesn't spy on Americans. Utter crap. They give the tools to European agencies to spy on us in the USA and we spy on their citizens for them.
      National security does not justify whatever they want to do. They no longer fear prosecution because no one faced consequences after the Snowden leaks.
      Basically, if nothing happens now except a manhunt for the whistleblower, we are all freaking doomed.

    18. Re: Who's Responsibility? by jafiwam · · Score: 2

      "Correlating and evaluating intelligence related to the national security.."

      Bobs hacked Samsung TV is not a national security issue. Its not the CIA's job to worry about the fact that someone could possibly compromise your smart phone revealing all your most sensitive dick picks. The CIA holds on to vulnerabilities like these to do little insignificant things like hacking the NK nuclear missile programs stalling a potential international conflict, hacking Iranian nuke programs, thwarting terrorist bombings by interception of communications, destabilizing foreign nations that are apposed to your existence, etc.. But I'm sure your dick pics should be their top priority.

      You forgot "Spy on opposition candidates"

    19. Re:Who's Responsibility? by AmiMoJo · · Score: 4, Interesting

      They knew that Samsung TVs could be used to spy on people via their cameras and microphones. Samsung TVs are quite popular. It's likely that they are in sensitive places, like meeting rooms of US corporations, hospitals, newsrooms etc. And in all likelihood, the Russians and the Chinese and the Iranians and the North Koreans and GCHQ and many other intelligence agencies know all this too. I wouldn't be at all surprised if for-hire black hats knew as well.

      So the CIA has a choice. Sit on this information and use it to gather intel themselves, but leaving the US at severe risk, or publish and give up their capability but also deny it to their adversaries. They must have either decided that the intel was more valuable than the loss to US citizens and corporations, or more likely never even had this discussion.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    20. Re:Who's Responsibility? by jbolden · · Score: 1, Informative

      National security not personal security. Not the same thing.

    21. Re:Who's Responsibility? by jbolden · · Score: 1

      The FBI (and more the department of commerce) not the CIA is responsible for protecting corporate interests. The CIA can freely endanger American corporate interests.

    22. Re:Who's Responsibility? by bobbied · · Score: 1

      Did you not read the summary?

      Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

      It's their job.

      I hate to disagree, but isn't that the FBI's job domestically? At least it's going to be part of Homeland Security or something...The CIA is specifically limited to gathering forgiven intelligence isn't it?

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    23. Re: Who's Responsibility? by hesiod · · Score: 1

      National security does not justify whatever they want to do.

      But 9/11! We need to be protected!

    24. Re: Who's Responsibility? by unixisc · · Score: 1

      George who?

    25. Re:Who's Responsibility? by mandark1967 · · Score: 1

      There's nothing in that italicized statement that states it's their responsibility to ensure your right to privacy.

      There's nothing in that statement that states it's their responsibility to disclose vulnerability information to the holes can be patched

      --
      Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
    26. Re:Who's Responsibility? by unixisc · · Score: 2

      Actually, 1984 was an Oracle or Nostradamus prediction - only thing - happened to be off by 32 years

    27. Re:Who's Responsibility? by reddi-phreddi · · Score: 1

      On the other hand, these flaws are probably exploited in common by all of the other spy agencies, so the disclosure is a plus.

    28. Re: Who's Responsibility? by TheRaven64 · · Score: 1

      Bobs hacked Samsung TV is not a national security issue

      It is when Bob is the son of a general and the television is used to eavesdrop on conversations of classified material in his house.

      --
      I am TheRaven on Soylent News
    29. Re:Who's Responsibility? by TheRaven64 · · Score: 1

      Samsung TVs are quite popular. It's likely that they are in sensitive places, like meeting rooms of US corporations, hospitals, newsrooms etc.

      It's worse than that. These TVs don't just end up there, they're actively marketed at these places because they can install various video conferencing apps and avoid the need to have a separate computer to control the video conferencing system.

      --
      I am TheRaven on Soylent News
    30. Re:Who's Responsibility? by TheRaven64 · · Score: 1

      Apple released the G5 iMac - a wall-mountable computer embedded in a display with a camera and network interface built in - on the 20th anniversary of their 1984 superbowl commercial, which ran with the tagline 'why 1984 won't be like 1984'. Apparently the reason was that it will take 20 years to get it into production.

      --
      I am TheRaven on Soylent News
    31. Re: Who's Responsibility? by MSG · · Score: 1

      The CIA doesn't have a responsibility to Russia. If their officials have personal vulnerabilities, those vulnerabilities are exclusively Russian. Software vulnerabilities aren't exclusively Russian. These vulnerabilities affect American citizens. They affect American troops and officials. They affect American government agencies. The risk is not simply that the vulnerabilities will be discovered by foreign intelligence, but that any one of thousands of employees and contractors could sell the entire archive, instantly giving the buyer capabilities equal to or greater than the CIA itself.

    32. Re:Who's Responsibility? by spire3661 · · Score: 1

      All this says is that you are ok with the CIA operating on its own agenda.

      --
      Good-bye
    33. Re:Who's Responsibility? by fonske · · Score: 1

      Suicidal Tendencies was already making songs like "flashing pictures on my screen, shown too quickly to be seen, does not register in my conscious mind, propaganda of another kind - they're fucking with me subliminally"

    34. Re:Who's Responsibility? by hairyfeet · · Score: 1

      Uhhh you might want to look up the history of the CIA, the amount of murders of politicians and political leaders that didn't kiss the corporate ring of some multi-national? Is just staggering, nearly every action they did that resulted in "regime change" was to benefit some corp that was exploiting the people or the resources of some weaker country. They follow the "war is a racket" playbook and make sure that greedyco doesn't have to worry about any pesky peasants actually wanting to be treated right or using their own resources.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    35. Re:Who's Responsibility? by jbolden · · Score: 1

      Sure. If the USA decides a particular corporate activity is in the national interest then the CIA can freely back it. We had a lot more crony capitalism 1930s-1970s and it showed across all areas of government, including the first 3 decades of the CIA. My point is that this is not a blanket guarantee. They can also act against corporate interests freely when they deem it appropriate.

    36. Re:Who's Responsibility? by thegarbz · · Score: 1

      Is it "appropriate" to sacrifice capabilities in the name of improving the public's general digital security?

      That depends on what is more important. Protecting yourself or protecting the people. Lets face it, it hasn't been the latter for a long time.

    37. Re: Who's Responsibility? by cellocgw · · Score: 1

      Bobs hacked Samsung TV is not a national security issue

      It is when Bob is the son of a general and the television is used to eavesdrop on conversations of classified material in his house.

      SRSLY? If some jackass general is discussing classified info outside of an approved secure area, that's the national security issue. He should be court-martialed. That said, catching him in the act in his own home should be preceded with issuance of a valid warrant.

      --
      https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
    38. Re: Who's Responsibility? by leftCoaster · · Score: 2
      Suppose the general is abusing his son. Suppose he is discussing something with his mistress. Suppose the general is dressing up in his daughter's clothes. Knowing any of that could make him vulnerable to coercion. This leverage could be used to influence the general in subtle ways.

      One reason people objected to the collection of meta-data was that with sufficient, seemingly innocent, data it is possible to discern guilty behavior.

    39. Re:Who's Responsibility? by lgw · · Score: 1

      nearly every action they did that resulted in "regime change" was to benefit some corp that was exploiting the people or the resources of some weaker country

      That's not really useful evidence is the thing. Any regime change that didn't install a communist was going to benefit some corp in the region (and if the old guy wasn't a commie, then it would screw whatever corp he was in bed with).

      Since the primary mission of the CIA for years was to overthrow small communist-leaning governments, usually for some tyrant who ended up working against us, the result would tend to be pro-corporate just as a side-effect of their blind anti-Red agenda.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    40. Re:Who's Responsibility? by Talderas · · Score: 1

      It's a plus depending on who you're talking about.

      Foreign Spy Agencies: Positive
      Domestic Companies: Positive
      CIA: Negative
      Domestic Spy Agencies (Excluding CIA): Probably Negative

      Consider the following scenarios where two spy agencies both use an exploit to spy on the other team.

      1. Neither agency is aware the other agency has the tool.
      2. Both agencies are aware the other agency has the tool.
      3. One agency is aware the other agency has the tool but not the inverse.

      3 is the ideal situation for your team because you can employ honeypots and misinformation so you want to be on the upper hand where you know the other side has the tool. There's no telling how many of these exploits fall into category three. It means that other intelligence agencies will be rummaging through this list of exploits to identify weaknesses and information that they didn't think the CIA knew as well as identifying any information collected with these exploits as they need to be put back under consideration on whether they are true or not.

      --
      "Lack of speed can be overcome. In the worst case by patience." --Znork
    41. Re:Who's Responsibility? by Tharkkun · · Score: 1

      Samsung TVs are quite popular. It's likely that they are in sensitive places, like meeting rooms of US corporations, hospitals, newsrooms etc.

      It's worse than that. These TVs don't just end up there, they're actively marketed at these places because they can install various video conferencing apps and avoid the need to have a separate computer to control the video conferencing system.

      So let me get this straight. The CIA works with Samsung to market TV to specific people and corporations and then also interferes by back dooring these specific tv's before shipping them out? Because it's already been proven the TV's can't be accessed remotely without first having physical access (usb port) and modifying them.

    42. Re:Who's Responsibility? by phayes · · Score: 1

      They "correlate and evaluate" to the State department and other entities of the USG.

      The "Disseminating information" part of their mission does not mean that they must (or should) inform corporate entities of their bugs.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    43. Re:Who's Responsibility? by phayes · · Score: 1

      Some parts of the USG have the mission to protect us: CERT for example.

      Some parts have the mission to get evaluate and distribute information to the State dept and the rest of the executive branch. CIA/NSA/...

      Anyone who claims that both are not needed and the USG should only "Protect us" are either lying or idealistic fools. Which are you?

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    44. Re:Who's Responsibility? by phayes · · Score: 1

      When the CIA/NSA/... is following the constitutional laws and directives of the executive branch they are performing the mission that they were created to do.

      That mission does not include serving as Apples/Googles/Microsofts/ZTEs/Huaweis/Samsungs vulnerability assessment division.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    45. Re:Who's Responsibility? by Namarrgon · · Score: 1

      Except all the US generals have the exact same secret, and are equally vulnerable to blackmail. As do their politicians, corporations, citizens, and allies.

      So by not notifying anyone, they're leaving their own country wide open to the Russians, Chinese, Mossad, other nations, organised crime etc, who they are hoping desperately haven't and won't ever notice the same secret themselves. They can't even tell if it's already happened. It's pure security through obscurity, and we've just seen that it didn't work.

      Apparently they're supposed to disclose them, but clearly they're not.

      --
      Why would anyone engrave "Elbereth"?
    46. Re:Who's Responsibility? by Xest · · Score: 1

      Actually I suspect the real problem is that they've been tasked to focus on terrorism for so long now that counter-intelligence has been largely neglected, which is why they're suffering all these leaks in the first place.

      I suspect the question was a lot less, "Do we gather foreign information at the risk of US information?", and more, "Information is small fry compared to stopping the next 9/11". The reality is they're probably always going to prioritise intelligence gathering to avert physical attacks over counter-intelligence right now because it has been their assigned priority since the war on terror began.

      I presume with all the leaks they may be beginning to wake up to the reality that there's a cost to taking your eye off the ball of counter-intelligence and focussing almost entirely on terrorism now however.

    47. Re:Who's Responsibility? by Anonymous Coward · · Score: 1

      Why are people acting like the CIA has some secret hack? This is old news.
      ANYONE that's been paying attention knows about the smart TV vulnerabilities.

      Slashdot, from 2012:
      https://tech.slashdot.org/story/12/12/12/168202/zero-day-hole-in-samsung-smart-tvs-could-have-tv-watching-you
      https://yro.slashdot.org/story/12/03/31/2027225/samsung-says-their-tvs-arent-really-spying-on-you
      https://it.slashdot.org/story/12/04/24/1642230/samsung-tvs-can-be-hacked-into-endless-restart-loop

      Another warning from 2016.
      https://tech.slashdot.org/story/16/02/14/1742240/samsung-warns-customers-to-think-twice-about-what-they-say-near-smart-tvs

    48. Re: Who's Responsibility? by EmptyHead · · Score: 1

      They are an intelligence group. Their job is to find ways to exploit just about anything. Now, if they are breaking the law this dump will likely save Congress time to discover that. However, whoever did this is just creating anarchy and I hope they bring back treason when it happens. You are always aiding the enemy when you dump this kind of information that you have signed legal agreements and sworn duties to protect.

    49. Re:Who's Responsibility? by EmptyHead · · Score: 1

      Mod parent up. A lot of this info that was released is rather old. The smart phone stuff has been around for quite a while too. There have been theories about smart card exploits as well.

      https://it.slashdot.org/story/...
      https://tech.slashdot.org/stor...
      ...etc.

  2. I don't agree by Anonymous Coward · · Score: 2, Informative

    The NSA is supposed to help and disclose vulnerabilities to the US at the evry least, rather than exploit them. The CIA on the other hand has no such goal, and the sole reason to search vulnerabilities is to exploit them onto every other countries.

    1. Re:I don't agree by SharpFang · · Score: 2

      "Let the USA burn to ashes, as long as we manage to destroy Russia in the process"?

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    2. Re:I don't agree by phayes · · Score: 1

      So the NSA/CIA/... are now the publicly financed bug tracking unit of Apple/Google/Microsoft/ZTE/Huawei/Samsung/etc ?!?

      Saying otherwise is "Let the USA burn to ashes, as long as we manage to destroy Russia in the process"?!?!

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    3. Re:I don't agree by Fire_Wraith · · Score: 5, Insightful

      You are incorrect. The NSA does have an explicit Information Assurance mission, but it also has an intelligence collection mission. Also, while the CIA does not have an explicit IA mission, its ultimate goal is the defense of the nation, which does not preclude issuing warnings about uncovered vulnerabilities.

      The problem is that they both have two conflicting goals when it comes to a discovered vulnerability, which can be used both by others to attack us, but also can be used by those agencies to gather intelligence. The term for it in the Intelligence Community is the "Equities Problem." This wasn't an issue in the past, because in the days of the Cold War for instance, the systems/codes/etc the Soviets were using were entirely different from American ones. Discovering a vulnerability in a Soviet cryptography system was only useful for intelligence gathering, whereas patching a vulnerability in an American cryptography system would not imperil our foreign intelligence collection activities.

      In today's world however, everyone basically uses the same systems. This presents a quandary for the three-letter-agency folks. Do we patch everything and shut off our ability to gain information, possibly missing key information about a future attack? Do we keep the vulnerabilities secret to enable more collection, knowing that one of those vulnerabilities will someday be used to attack us and that we could have prevented it? Do we somehow try and muddle through, knowing that we may wind up with the worst of both?

    4. Re:I don't agree by SharpFang · · Score: 1

      They are also meant to be an external department of DEA, by arresting drug smugglers instead of taking their money to fund own operations.

      They are also meant to be the American-funded police of Mexico, and customs agency, in order not to aid smuggling weapons to Mexican mafia.

      Oh, and they are meant to be bodyguards of democratically elected politicians in South America, in order not to aid the local dictators in assassinating them.

      And they definitely should open public-funded hospitals to aid people, so that they can't test illegal drugs on them.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    5. Re:I don't agree by tinkerton · · Score: 4, Insightful

      Seems there is another problem. Suppose you start from agencies with well defined responsibilities with their matching checks to control them(well, hypothetically, let's say 'better defined') The FBI is domestic but has its constraints. The NSA does hacking but has its constraints . The CIA does spying.
      Then if the CIA expands into the domestic front and into the hacking front without the constraints, (and the foreign intervention front as well, it could be said), you have a problem with unchecked power. The common response though is 'the CIA is defending us they don't need to be constrained.' Yeah right. The whole security apparatus has gotten completely out of hand.

    6. Re:I don't agree by Fire_Wraith · · Score: 1

      That is another problem area, and partly why we've seen the push for more things that could potentially be abused. Back in the day (so to speak), if you were spying on a radio broadcast from within the USSR, it was pretty clear that's what it was. You'd have to put your listening post somewhere close(r) to Russia. It wouldn't be in the middle of Kansas. Geography would make for a pretty clear definition. If you tapped phone calls in the USSR, you were pretty likely to get Soviets and not Americans, because Americans' domestic calls or even international calls weren't being routed through the USSR unless they were calling someone there.

      Fast forward to today, where the internet is global, and traffic from Country A to Country B probably runs through the USA at some point, using all the same protocols as purely domestic activity. If the CIA wants to be able to hack computers belonging to bad guys from the Evil League of Evil, those very same tools can just as easily be used to hack anyone in the USA, because they're all using the same hardware and software we do. It's not even a matter of geographic separation anymore, either, as a US government hacker sitting at CIA HQ can just as easily make a connection over the internet to anywhere in America as to the rest of the world.

      Now, I've worked with people in the Intelligence Community before, and I have a good opinion of them, but there definitely needs to be stronger oversight on a number of these things, because the potential for abuse is just so much higher than it used to be. Safeguards dating from the 1970s badly need updating to take into account the new reality.

    7. Re:I don't agree by bobbied · · Score: 1

      "National Security" is not the same as "Personal Security". While they are related at times please do not conflate the two.

      One is about the defense of the nation as a whole and is clearly a government responsibility, the other is only a government responsibility in as far as law enforcement and regulations are concerned.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    8. Re:I don't agree by phayes · · Score: 1

      You need to tell whoever it is that is feeding you these "meant to" lines to knock off the psychotropics. None of that has anything to do with the missions of the CIA/NSA.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    9. Re:I don't agree by SharpFang · · Score: 1

      Same goes to you, with the bug tracking mission.

      Their primary mission is to protect safety of USA citizens. If they find something that threatens that safety, they should stop that thing by most prudent ways available. Not copy it and keep using themselves! Yeah, that thing might make them more efficient at spying. But it makes them way less efficient at protecting the USA.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    10. Re:I don't agree by phayes · · Score: 1

      The mission of the CIA/NSA is NOT the "protect safety of USA citizens" [sic], that's just you making things up. Their mission statements are online. I suggest you read them to cure your ignorance

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    11. Re:I don't agree by tinkerton · · Score: 1

      I fully agree that the mere fact by itself that globalisation has made the categories more fuzzy, much less separate would require a major update of the rules. Only I think what's been going on in the last 15 years is of a different order. It's more in the neoliberal category of 'do whatever you want and take whatever money you need'. Now I've become a strong believer in checks and balances over time and I consider the current situation very unhealthy in that respect. The security apparatus simply has too much power now.

    12. Re:I don't agree by SharpFang · · Score: 1

      Funny. I just reread it. None of the entries states anything of actual benefit to the country, or anyone for that matter. The entirety of existence of CIA is fulfilling a pointless and baseless whim of the president - deliver intelligence. With absolutely zero rationale given. Zero authority for doing anything else.

      Yep, looks exactly like your typical runaway optimizer AI, the paper-cliper. Unable to determine conditions at point X for an intelligence report? Nuke it, then report "conditions:nuclear crater" with full authority. Given presidential candidate might limit the agency's ability to collect intelligence? Lead another candidate to win. Given intelligence collection project needs funds? Smuggle drugs.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    13. Re:I don't agree by phayes · · Score: 1

      I congratulate you on taking the first steps of enlightenment. The next step will be to accept that just because you do not understand something that it does not automatically mean that it is without value. A common indicator of this failure on your part is when you disagree with everyone around you but finding another self deluded fool doesn't make you right either.

      The CIA exists to gather evaluate and deliver intelligence following the directives of the Executive branch while remaining within the bounds and budged defined by Congress & the Courts & would not exist were they all to find it as useless as your unlearned self does.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    14. Re:I don't agree by SharpFang · · Score: 1

      Apparently they don't really care about the bounds as defined by the Courts that much. Never mind, while I never claimed what they produce is worthless, they produce it at a certain cost - and not just budgetary, but a cost to the society as a whole: privacy, liberties, justice, public order, stability, respect to the government, public health and safety. And at times these costs outweigh benefits by far - but since they are "hidden", never directly compared against the benefits - CIA can incur any costs it wishes, as long as the purely financial budget isn't exceeded and the violations aren't too obvious, it can do this with impunity.

      Iran-Contras might have provided USA with certain benefits - but you'd be hard-pressed to argue they were well worth the costs it incurred.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    15. Re:I don't agree by phayes · · Score: 1

      _You_ are in no position to judge, hell, until so very recently you didn't even know what the CIA's missions were and were just repeating the stupidities that others with no better comprehension fed you. I doubt you even know who controls their financing and decides whether or not they are performing their assigned missions as expected or not.

      You're ignorant but still think that your opinion merits consideration. In short, you're a troll. Bye...

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    16. Re:I don't agree by SharpFang · · Score: 1

      Okay, so I'm clueless. Care to enlighten me: detail how MKUltra was the right thing to do? What don't I know about it that I can't judge CIA by it?

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  3. CIA is a spy agency that breaks the law. by Anonymous Coward · · Score: 4, Interesting

    The CIA doesn't have the interest of the American public. They're used to committing illegal acts to get things done. Look up Iran Contra.

    1. Re: CIA is a spy agency that breaks the law. by Kkloe · · Score: 2

      It is called doing their job like any * dum dum dum * spy agency should do, maybe you have heard of such terms. If you have problems with how they do their job complain to their boss(es).

    2. Re:CIA is a spy agency that breaks the law. by Archtech · · Score: 2

      Is there an equivalent of Godwin's Law for Israel and the Jews? Because there ought to be.

      --
      I am sure that there are many other solipsists out there.
    3. Re:CIA is a spy agency that breaks the law. by torqer · · Score: 1

      Congratulations: it's the Archtech Law.

      Now go get a wikipedia page and it's official.

    4. Re:CIA is a spy agency that breaks the law. by unixisc · · Score: 2

      The CIA doesn't have the interest of the American public. They're used to committing illegal acts to get things done. Look up Iran Contra.

      Iran Contra was not a CIA operation: it was an NSC operation - Ollie North was an NSC guy.

      Anyway, right now, the various intel agencies are more dedicated to running a background government of their own, complete w/ their own foreign and defense policies. Which is why they're doing their utmost to undermine the president. Having tasted blood in the form of Lt Gen Flynn, they're now targeting Sessions and anyone else they perceive as a threat, so that they can get their own swamp nominees in.

    5. Re: CIA is a spy agency that breaks the law. by ACE209 · · Score: 1

      other nations don't care about you, your laws, and your "human rights".

      The question is more: are there some nations who don't care or are it all nations?

      And what kind of nation do you want to be?

      --
      "we are all atheists about most of the gods that societies have ever believed in. Some of us just go one god further."
  4. That's not how it "should" work by phayes · · Score: 2, Interesting

    Right, so when the CIA/NSA/whatever, uses a vulnerability that gives them access to information -- that it is their reason for existing, they should immediately turn the vulnerability over to the device manufacturer so that they will patch it.

    Because these agencies exist and are financed to perform vulnerability testing for Apple/Google/Microsoft/HP/Dell/ZTE/Huawei/etc!?!?

    Methinks that anyone that can say "that's not how it should work" with a straight face can only be a lawyer, habituated to defining truth as "whatever best serves me/my client".

    We cannot be appalled by the lies of people like Trump and at the same time accept it when people who are say that they are defending us from his and other deceptions are also lying to us.

    EFF, this does not help as it only gives Trump et all more ammunition.

    --
    Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    1. Re:That's not how it "should" work by moeinvt · · Score: 3, Interesting

      Do they really "exist" to gather information, or is gathering information just one tactic that they use as part of a larger mission? I'd argue that the only reason for their existence, or the existence of government in general, is to serve The People. Don't they repeatedly justify their activities by the claim that they're doing us a service?

      Suggesting that the intelligence agencies exist purely for information gathering is the same as saying that the military exists purely to blow things up and kill people. They're good at doing that, but they do it in pursuit of a particular mission. "Invade and Occupy Iraq and find all the WMDs" for example.

      If the mission of the intelligence agencies is to serve The People who pay the taxes and from whom the government derives its just power, they are doing us a disservice because we're not only vulnerable to THEIR information gathering, but vulnerable to anyone else in the world who figures out how to exploit same vulnerabilities.

    2. Re:That's not how it "should" work by jbolden · · Score: 1

      Determining resolution of sources and methods is the job of the Senate and House intelligence committees. If they wanted the CIA to be in the vulnerability patching business they would have instructed them to do so.

    3. Re:That's not how it "should" work by chispito · · Score: 1

      TLDR: If they were not permitted to hold onto vulnerabilities, they would stop finding vulnerabilities.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    4. Re:That's not how it "should" work by phayes · · Score: 1

      After following the appropriate laws and the directives of the Executive branch, yes.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    5. Re:That's not how it "should" work by Xest · · Score: 1

      The problem with your argument is that you're working on some misguided assumption that only you get to define how the people are best served.

      Unfortunately, you need to understand that how you think you're best served, and how you're actually best served may well actually be two different things.

      Furthermore, even if they're not two different things, and even if you're right, you still have the fundamental problem of living in a democracy where it's not you, and only you that gets to dictate priorities and what's classed as serving the people. So whilst you may feel you're best served by having your device vulnerabilities patched, there may be a number of other people who see that as far less of a priority than not becoming the next Boston marathon bombing victim as a greater priority - whether that's objectively right or not doesn't really matter in a democracy. The CIA's priorities and definition of what is serving the people will be set by the elected leadership.

      So what you actually just did was gave your opinion on the internet and implied it's the only one true objective truth. Sorry to break it to you, but it's still just your opinion and not necessarily therefore correct, regardless of what you declare. There's every possibility that they are actually already serving the people the best way they can, whether you like that or not is ultimately irrelevant beyond your ability to influence it at the ballot box.

  5. Intelligence agencies vs threats–us in the m by asjk · · Score: 1

    nt

  6. Considering.... by Zurkeyon3733 · · Score: 1

    That some of the exploits they decided to hang onto, were actually malware code samples that would allow them to attribute attacks to foreign governments. When in fact they had nothing do to with said attack. In addition to this, they appear to have held onto exploits for vehicle control systems, that would allow them to ASSASSINATE people without detection. This is CERTAINLY NOT what they were hired to do. Not by any of the US citizens/agents that I know anyway. These are EXPOSED Black Ops Projects, by any other definition. Its time that someone unbiased investigated the CIA/NSA... They clearly are into some things they shouldn't be. Things that are CLEARLY ILLEGAL...

    1. Re:Considering.... by Tharkkun · · Score: 1

      That some of the exploits they decided to hang onto, were actually malware code samples that would allow them to attribute attacks to foreign governments. When in fact they had nothing do to with said attack. In addition to this, they appear to have held onto exploits for vehicle control systems, that would allow them to ASSASSINATE people without detection. This is CERTAINLY NOT what they were hired to do. Not by any of the US citizens/agents that I know anyway. These are EXPOSED Black Ops Projects, by any other definition. Its time that someone unbiased investigated the CIA/NSA... They clearly are into some things they shouldn't be. Things that are CLEARLY ILLEGAL...

      The CIA protects our country abroad. If these black ops missions saved millions of lives (which we know they have before) then one idiot like you being upset is worth it.

  7. Old stuff by clovis · · Score: 4, Informative

    It looks to me like the list of CIA hacking tools is a list of vulnerabilities that we already knew about and have been discusssing since forever, and it's hardly just the CIA that's been taking advantage of the environment.

    And it also looks like a list of vulnerabilities that the vendors all know about and we've all been complaining about.
    Soooo why exactly should the CIA tell Apple "we have an evil app that intercepts messages before encryption" when Apple and everyone else who's been paying attention already knows about these apps. Should the CIA have meetings with every half-assed IOT vendor to tell them that their device is a POS and hiw the CIA takes advantage when we and they all know this already?

  8. Re:The CIA is doing its job by nomadic · · Score: 1

    This is the EFF. Their minds dance forever in utopian fields of wildflowers.

  9. Did CIA kill Mike Hastings by controlling his car? by schwit1 · · Score: 5, Interesting
    Journalist Michael Hastings Was Investigating CIA Director John Brennan Before He Was Killed in Fiery Car Crash

    http://www.news.com.au/finance...

  10. This is why people fear Artificial Intelligence by SharpFang · · Score: 4, Insightful

    So obsessed with the letter of the mission statement, that you forget its spirit. Subjects you were meant to serve become means, and disposable resources in achieving goals that no longer serve their purpose, as the cost outweighs benefits by way too much.

    CIA was created to protect safety of USA citizens. It got specific goals and means by which it would serve in that mission, and focused on them so much the mission went entirely out of focus. Collateral damage is no longer considered an issue. No matter how much CIA hurts and weakens the USA, it considers the actions a success if the "enemy" (actual or potential) is weakened in the process.

    It's silly to expect a spy agency to obey the law and play always fair. But whatever it does, no matter how nefarious and slimy, it should always put the good of its citizens first. And it's ridiculous to expect whatever they might have gained through holding to these exploits outweighs the losses of the public caused by the non-disclosure. CIA no longer serves USA. CIA just serves goals of CIA, and if means to these goals conflict with the good of USA, so be it, USA be damned.

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    1. Re:This is why people fear Artificial Intelligence by JustAnotherOldGuy · · Score: 1

      It's silly to expect a spy agency to obey the law and play always fair.

      Exactly, and I laugh at the naive simpletons who don't understand this.

      The only time you should believe this is when you're still in pre-school or a head-injury ward.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    2. Re:This is why people fear Artificial Intelligence by SharpFang · · Score: 1

      That serves furthering the position of CIA. The victorious candidate is likely to favor them, grant them better funding, which will allow them to pursue their goals more efficiently. Damage to the country be damned.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  11. Not their job by jbrown.za · · Score: 4, Informative

    Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

    The CIA's website says "CIA’s primary mission is to collect, analyze, evaluate, and disseminate foreign intelligence to the President and senior US government policymakers in making decisions relating to national security".

    It seems pretty clear that they are focused on gathering information relating to US national security... it says nothing about protecting private individuals information. I can guess that they will claim to have weighed up the threat to private individuals vs the intelligence gathering advantages of not disclosing these vulnerabilities. I'm not saying I agree with this sentiment, but I don't think this exposes the CIA to the extent that the article suggests.

    1. Re: Not their job by Zero__Kelvin · · Score: 1

      Who said anything about private individuals? Maybe you didn't know that all the Federal agencies use these same vulnerable systems? By leaving the hole they leave federal systems vulnerable too.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  12. I call Bullshit by mandark1967 · · Score: 4, Informative

    ...Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

    Section 202 of the National Security Act of 1947 established the CIA, and nowhere in the charter does it state it's their responsibility to protect the privacy of Americans.

    --
    Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
    1. Re:I call Bullshit by mandark1967 · · Score: 1

      1 - Posted as AC? If you can't put your name next to your statements, STFU, coward.
      2 - The CIA's job is to spy. Evidently, they use vulnerabilities discovered in software to do that.
      3 - After re-reading your response, I can see why you'd post as AC. If you were any more dense you'd achieve spontaneous fission. That drivel isn't something I'd want my name next to, either.
      4 - Again, it's not the CIA's responsibility to uphold the privacy rights of citizens and, until you post links to or the directive(s)/regulation(s) themselves stating it "is" their responsibility, refer to #1 & #2 above.
      5 - Stop releasing shitty code full of holes.

      --
      Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
    2. Re:I call Bullshit by ooloorie · · Score: 1

      Specifically, failure to uphold the constitutional rights of citizens, such as the right to privacy, is probably - at least in legal theory - unacceptable.

      I think it's rather a stretch to go from a prohibition on unreasonable searches and seizures to "the CIA must disclose any and all bugs in anybody's computer software that could be used to gain unauthorized access to those computers".

    3. Re:I call Bullshit by mandark1967 · · Score: 1

      until you post links to or the directive(s)/regulation(s) themselves stating it "is" their responsibility, refer to #1 & #2 above

      --
      Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
    4. Re:I call Bullshit by mandark1967 · · Score: 1

      See #1 and #2

      --
      Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
    5. Re:I call Bullshit by Sabriel · · Score: 1

      The charter is subordinate to the Constitution, as as every CIA employee who took the oath of office and signed the affidavit affirming same should know:

      “I, [name], do solemnly swear (or affirm) that I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same; that I take this obligation freely, without any mental reservation or purpose of evasion; and that I will well and faithfully discharge the duties of the office on which I am about to enter. So help me God.” Schooled CIA employees know that the Constitution also defines the role of federal employees: "To establish justice, insure domestic tranquility, provide for the common defense, promote the general welfare and secure the blessings of liberty."

        - work.chron.com/cia-oath-say-23447.html

    6. Re:I call Bullshit by EmptyHead · · Score: 1

      Cry me a river. I love the outrage about the govt gathering information, but no worries whatsoever about the likes of sociopathic corporations doing it for fun and profit. The folks with the gov have sworn an oath to uphold the constitution. Corporations only worship the dollar. Now contractors having access to some of this does concern me - they haven't been as brought into the fold and have less to lose.

  13. I disagree by Weaselmancer · · Score: 5, Insightful

    It is the job of the CIA to collect intelligence. Central Intelligence Agency, right there in the name. It's not their job to post software patches.

    I think what Cindy Cohn meant was "it would sure be nice if the CIA had let us know about the problems rather than keep them secret", and I agree that would have been awfully nice of them - but wanting the CIA to reveal tactical information that helps it do its job is silly.

    They're a spy agency, folks. This is what spies do.

    --
    Weaselmancer
    rediculous.
    1. Re:I disagree by edtice1559 · · Score: 1

      I thought CIA stood for confidentiality, integrity, and availability and that was the mission of this agency!

    2. Re: I disagree by Zero__Kelvin · · Score: 1

      Well you got it half right, conveniently leaving out the part that makes your argument obviously paper thin. Their mission is to collect and desseminate information. You seem to have left out that big word beginning with D.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    3. Re: I disagree by gnick · · Score: 1

      Their mission is to collect and desseminate information. You seem to have left out that big word beginning with D.

      Their purpose certainly isn't to disseminate everything they collect. That would be stupid and entirely counter-productive. Somebody quoted them up above:

      Correlating and evaluating intelligence related to the national security and providing appropriate dissemination of such intelligence;

      By asking them to disclose vulnerabilities that they're able to exploit, you're asking them to diminish their capabilities. Patching the world isn't their job - Spying on it is.

      --
      He's getting rather old, but he's a good mouse.
    4. Re: I disagree by Zero__Kelvin · · Score: 1

      How, prey tell us, do you leave all the computers in the government and major industries that drive our nation like power plants and airlines vulnerable and still protect the national interest? That's quite a trick!

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    5. Re: I disagree by Talderas · · Score: 1

      Prior to these leaks no one knew that the CIA knew about these exploits. Now everyone knows the CIA knows about these exploits. This provides two clear problems for intelligence gathering for the CIA.

      1. Other individuals and organizations will address these exploits making the exploits useless for government actors.
      2. Other individuals and organizations will cease using these exploits for intelligence gathering as they're aware that the CIA knows about them. This does not mean that they don't have other exploits that can be used.

      In order to effectively gather intelligence the enemy cannot know that you know what they know. This means the CIA can no longer use their knowledge of these exploits to create honeypots. Enemy actors will know and have just cause to suspect any information they gain via these exploits or avoid them to prevent any surveillance on their activities that could indicate what they're interested in.

      --
      "Lack of speed can be overcome. In the worst case by patience." --Znork
    6. Re: I disagree by Zero__Kelvin · · Score: 1

      You are confusing the word information when you mean capability. The capability to break in is not the commodity information. You are basically saying that now that I know that they MIGHT be able to get at my information that I'll stop communicating.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    7. Re: I disagree by gnick · · Score: 1

      ...do you leave all the computers in the government and major industries that drive our nation like power plants and airlines vulnerable...

      Yes, you leave them vulnerable. They will always be vulnerable - The CIA has only discovered a subset of the global population of software vulnerabilities. Securing the planet is not the CIA's job; it should not be; and searching for vulnerabilities only to disclose them to the world would be a misuse of tax dollars. There are other, preferable, ways of finding, reporting, and patching bugs that do not waste the time of our intelligence agencies.

      --
      He's getting rather old, but he's a good mouse.
  14. Re:Their job? by Archtech · · Score: 1, Troll

    Their job is to stop Mohammed from blowing up your children.

    It's a bit late for that, unless they also have time machines. The best way to prevent "Mohammed from blowing up your children" (and when did that last happen in the USA?) would have been to refrain from blowing up his children. And his wife, and his aunts and uncles and his parents and his friends. And his dog.

    Unfortunately that carrier task force sailed decades ago.

    --
    I am sure that there are many other solipsists out there.
  15. Re:Their job? by Zurkeyon3733 · · Score: 1

    Try about 1400 years ago... A Few Questions for you... when was the last Cure invented by Muslims? The Last Surgical Procedure? The Last Great Piece of Technology? The Last Great Scientific Discovery? Then was the last time they lead a Humanitarian mission, to say, anywhere? When was the last time Israel, Iraq, Iran, Syria, Pakistan, or Afghanistan took in Refugees? When was the last Vaccine they invented? The last Nobel Prize? The Last Accomplishment in Space Travel? The Last Accomplishment in Women's Rights? Their Last Peace Accord? Their Last PUBLIC Admonishment Of The Muslim Brotherhood, Hamas, ISIS, the Taliban, the Rapes in Cologne, or ANY of the Recent Attrocities attributed to their people? Typically, I see them making excuses for Terrorists. nothing more. Show me their VALUE to society... I would TRULY like to see it. They invented Algebra about 2000 years ago. So that does NOT count. Show me what good they have done for the world LATELY. Last 1400 years or so. List their accomplishments. Lets hear it. :-)

  16. Re:The CIA is doing its job by Dissenter · · Score: 2

    Saddly I have to agree. While in those fields of wildflowers, the ideal humanity has nothing but love and respect for its fellow human, but as long as that ideal exists, countries will continue to need security organizations like the CIA to keep an eye on those that dno not share those ideals. Until the entire world unilaterally accepts one another and the common good, there is a need for a defensive stance and that stance cannot support the altruistic ideas that most of us would love to adopt.

    All of that said, the EFF does an outstanding job working to hold non-defense organizations accountable to their conumers and the self imposed privacy rules that they claim to hold so near and dear. I just wish that they would pick their battles a bit better rather than trying to fight everyone at once.

    --

    Dissenter
    "There is no knowledge that is not power."

  17. Seriously? by JustAnotherOldGuy · · Score: 1

    "The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices -- including Android phones, iPhones, and Samsung televisions -- that millions of people around the world rely on."

    This is EXACTLY what I would expect of them. This is how they gain their advantage.

    No sane person would ever expect the CIA/NSA/FBI to announce that they found a security vulnerability. It would be like a burglar announcing to a home owner that he found an unlocked door.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  18. VEP doesn't mandate disclsoure by Registered+Coward+v2 · · Score: 3, Informative

    The Vulnerabilities Equities Process doesn't have a mandate to disclosure, merely to determine if they should disclose or keep it for use. The EFF explains it:

    EFF filed a lawsuit under the Freedom of Information Act in 2014 to get access to the government's "Vulnerability Equities Process" (VEP), the policy it uses to decide whether to disclose information about security vulnerabilities or instead withhold this information for its own purposes, including law enforcement, intelligence collection, and "offensive" exploitation.

    EFF v. NSA, ODNI - Vulnerabilities FOIA"

    The EFF has a heavily redacted copy of the policy the key statement in there is "When a decision is made to disseminate..."

    --
    I'm a consultant - I convert gibberish into cash-flow.
  19. Re:Their job? by godrik · · Score: 4, Informative

    Challenge accepted. In the last 10 years:
    -Malala Yousafzai is a nobel peace prize winner and she is from pakistan. https://www.nobelprize.org/nob...
    -Aziz Sancar was born and educated in turkey (difficult to tell whether he is of muslim faith or not, but he was probably at least raised in that culture) and is a chemistry nobel prize recipient.
    -Maryam Mirzakhani was born and educated (up to bachelor) in Iran and received a Fields medal.

  20. CIA doesnt own these Vulnerabilities. by Anonymous Coward · · Score: 1

    CIA is leasing them.

    It is the same wink and nod that fouls poor Theo de Radt until he found where one of his co-developers contracted a vulnerability. I'm aware of one security firm that sells exploits top-dollar to agencies of government around the world and his personal team were at the forefront of DefCON wowing entrants:

    lookup Gary Storer around either Redondo or Hermosa.

  21. Re: Intel CPU backdoor by Zero__Kelvin · · Score: 1

    Dude, that's HORRIBLE! Somebody should invent UEFI so there would be a way to disable it in a UEFI configuration!

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  22. Re:Really? by bobbied · · Score: 1

    You are right. The CIA is NOT responsible for ones personal security. They are involved in NATIONAL security, which is related to personal security, but the two concepts are NOT the same thing.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  23. Re:Did CIA kill Mike Hastings by controlling his c by Anonymous Coward · · Score: 1

    Journalist Michael Hastings Was Investigating CIA Director John Brennan Before He Was Killed in Fiery Car Crash

    http://www.news.com.au/finance...

    Some of us have been saying that for a long time. I work in security in the auto industry. The vehicle Michael Hastings was driving has throttle-by-wire. The Mercedes C-class has a feature called ADAPTIVE BRAKE which sounds like it needs brake-by-wire. If you've got by-wire control of throttle and break, a sophisticated attacker (like the CIA or NSA) could mostly likely cause a crash like the Michael Hastings crash.

  24. Re:yeah, be responsible, CIA! by bobbied · · Score: 2

    Yea, in the addled minds of some posters They think the following statement is true: National security == Personal security

    Sorry folks, that evaluates to false...

    The CIA is charged with protecting National Security by gathering intelligence on foreign targets. They are NOT charged with protecting individual's personal security though their protection of the nation does protect the individual in some ways.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  25. Re:Intel CPU backdoor by Bob+the+Super+Hamste · · Score: 1

    Looks like APK is off his meds again, or the institution let him on the internet. again.

    --
    Time to offend someone
  26. no, they don't by ooloorie · · Score: 1

    Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

    It is the responsibility of US spy agencies not to violate the security and privacy of Americans; it is not their responsibility to fix security and privacy problems domestically.

    You're probably confused because sometimes spy agencies say "in our operations, we protect the security and privacy of Americans", but that's in the same sense of "when we ship glass, we protect it from breaking", not "we protect all American glass from breaking ever".

  27. Re:Your worship of the State is the problem by ACE209 · · Score: 1

    God outsourced his job responsibilities to the CIA in order to give him more time to watch you masturbate.

    I think watching people masturbate was outsourced to DHS and FBI at some point.

    I wonder what god does now, with so much free time on his hands.

    --
    "we are all atheists about most of the gods that societies have ever believed in. Some of us just go one god further."
  28. That is nice. Now what? by houghi · · Score: 3, Insightful

    So they are guilty. The NSA are guilty. The FBI are guilty. The whole government is guilty. And all I see is a lot of people discussing it and no action taken.

    If I as a kid stole a cookie and my mom told me of and I stole another one and still nothing happened, why would I stop stealing the cookies? They are great tasting cookies.

    As long as there are no consequences, except for some whining, why would they NOT do it? You can discuss it among yourselves, but they do not care.

    --
    Don't fight for your country, if your country does not fight for you.
  29. Why doesn't WikiLeaks publish Russian or Chinese.. by footNipple · · Score: 2

    ...intelligence documents? Just asking.

  30. I have no problem by ckatko · · Score: 1

    I have no problem with our intelligence agencies keeping tools and means to hack.

    I DO HAVE a problem when they're used against American citizens and even used to murder them without a trial.

    Our government should be doing everything it can to PROTECT us against China, Russia, etc. It should not be treating >us like antagonists to be targeted and crushed. It's time we stop treating our citizens like "criminals in the making".

  31. nothing new by liquid_schwartz · · Score: 1

    The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process.

    This is the same group of idiots that are largely responsible for polio still being around (citation below). Failing to accurately assess risk and shortsighted thinking are nothing new to these folks.

    Citation:

    https://www.scientificamerican...

  32. Are you on drugs? by ackkamoto · · Score: 1

    Seriously does anyone take EFF seriously ? Put on your big boy pants and learn how the real world works, no one in government is in computer security for altruistic reasons and gives 2 shits about making other people more secure, they just want information to give them more power.

  33. Re:Come say that to my face motherfucker... apk by Bob+the+Super+Hamste · · Score: 1

    And yet you seem to be able to prove my point time and time again with your delusions, non-sequiturs, circular arguments, incoherent ravings, and general paranoia. Although I should have know it wasn't you who made that post even though the author does a pretty good job of copying your /. style as you do claim credit for your mad ravings. It is also rather entertaining to bait you and then just stop responding once the rise has been gotten like I am going to do now.

    --
    Time to offend someone
  34. Re:Your worship of the State is the problem by lgw · · Score: 1

    If you think that coming up with ways to assassinate people is worthy work, then your mind is warped.

    Oh, so you wouldn't have assassinated Hitler, given the chance? We could have saved a lot of grief had it been possible to assassinate Saddam Hussein rather than drive in there and drag him out of his spider hole in person.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  35. They do. When there is such stuff. by Anonymous Coward · · Score: 1

    But slashdot being infested by merkins mostly describes the problems of the USA from a USA centric perspective. Go to WL and look up the document releases. And you will find one for Russia or China quite easily. Ergo, the answer to your petulant whinge is "They do, you just never bother to remember"

  36. Re:Did CIA kill Mike Hastings by controlling his c by Anonymous Coward · · Score: 1

    You'd have to physically modify the car to kill someone in anything other than a sudden lane switch into an oncoming car.

    What evidence do you have that physical access would be required?

    This is a The Mercedes C-class with a cellular modem built into it with full access to the CAN bus and by-wire system.

    That's like claiming an Internet connected server absolutely requires physical access to break into, a claim that has been proven false time and time again.

    Every other scenario in a pure software hack setting is defeated by putting the car into neutral and pulling the parking brake. The electronic systems control neither of those things.

    The electronic control system absolutely has control over the breaks. It must, since the peddle is nothing but a switch and the breaks are controlled electronically. It would be impossible to apply the breaks and stop without the electronic control system.

    The same is true for the accelerator, and the transmission controller.

    Being physically in the car it would be impossible to put the transmission in neutral once the computer was instructed to ignore the input channel from the gear shift switches, and it would be impossible to break once the computer was instructed to ignore the input channel for the break peddle.

    Even steering can be by-wire. I don't personally know if the C-class uses that or not, but there is no reason to make any assumptions either way.
    By-wire and physical shaft steering are both things that exist and that Mercedes can choose which to avail themselves of.

  37. Re:Right on! by laxguy · · Score: 1

    If its a false flag then no children were harmed.

  38. Re:Come say that to my face motherfucker... apk by lgw · · Score: 1

    See my subject Bob the Super WEASEL behind a FAKE NAME online for your FAKE LIFE sockpuppet that you are w/ no balls:

    I'm pretty sure we all knew "Bob the Super Hamster" wasn't actually his real name. Just sayin'

    --
    Socialism: a lie told by totalitarians and believed by fools.
  39. Re:Their job? by Archtech · · Score: 1

    Er, how does any of that justify blowing them up?

    --
    I am sure that there are many other solipsists out there.
  40. Re:Their job? by Archtech · · Score: 1

    Challenge accepted.

    And you therefore lose. You have accepted a challenge to debate an irrelevant, orthogonal issue. Whether it is right to kill Muslims wholesale does not depend on how many gadgets they invent or how many Nobel Prizes they win.

    Best not feed the trolls.

    --
    I am sure that there are many other solipsists out there.
  41. Re:Their job? by Trogre · · Score: 1

    Three. The first of which is worthless.

    Was that the best you could do?

    --
    "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
  42. Re:Dont you mean Georgia? by unixisc · · Score: 1

    Whoosh!!!

  43. So what... by billybiro · · Score: 1

    Dear The Hoi Polloi,

    We'll do what we want. What are you going to do about it?

    Yours (up the a$$),
    The CIA.

  44. Re:Their job? by Zurkeyon3733 · · Score: 1

    2.... in 1400 years. Do you actually consider this a societal accomplishment? LOLOLOL