Hey CIA, You Held On To Security Flaw Information -- But Now It's Out. That's Not How It Should Work (eff.org)

← Back to Stories (view on slashdot.org)

Hey CIA, You Held On To Security Flaw Information -- But Now It's Out. That's Not How It Should Work (eff.org)

Posted by msmash on Wednesday March 8, 2017 @02:40AM from the is-it-worth-the-sacrifice dept.

Cindy Cohn, writing for EFF: The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices -- including Android phones, iPhones, and Samsung televisions -- that millions of people around the world rely on. The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we're all made less safe by the CIA's decision to keep -- rather than ensure the patching of -- vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

41 of 246 comments (clear)

Min score:

Reason:

Sort:

Who's Responsibility? by ISoldat53 · 2017-03-08 02:44 · Score: 5, Insightful

Is it the CIA's responsibility to point these out? How many "flaws" are intentional?
1. Re:Who's Responsibility? by Anonymous Coward · 2017-03-08 02:46 · Score: 5, Insightful
  
  Did you not read the summary?
  
  Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.
  It's their job.
2. Re:Who's Responsibility? by phayes · 2017-03-08 02:56 · Score: 2
  
  Says who?
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
3. Re:Who's Responsibility? by goombah99 · 2017-03-08 02:57 · Score: 4, Insightful
  
  It's like how when the CIA discovers a Russian General has a secret to hide they never black mail him but immediately notify the Russian Authorities of their vulnerability.
  
  --
  Some drink at the fountain of knowledge. Others just gargle.
4. Re:Who's Responsibility? by rmdingler · 2017-03-08 03:00 · Score: 2
  
  Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.
  Security yes... abroad. Privacy: not so much.
  The CIA has been historically responsible for international operations, including spying in and on foreign nations. The FBI is supposed to do those things inside the country.
  
  --
  Happiness in intelligent people is the rarest thing I know.
  Ernest Hemingway
5. Re:Who's Responsibility? by nomadic · 2017-03-08 03:04 · Score: 2
  
  Pretty much. This story makes zero sense. The CIA didn't just happen to find security flaws, they intentionally looked for them so they could exploit them.
6. Re:Who's Responsibility? by ThomasBHardy · 2017-03-08 03:11 · Score: 5, Interesting
  
  While I find the abusive techniques being reported as abhorrent as the next fellow, I would challenge the assertion that it's their job to disclose security issues.
  I'm not saying that they morally are not obligated. They are morally obligated to do so, in my personal opinion, to maintain the general fabric of security for the country.
  But I'm not so sure that they have a legal obligation to do so.
  There are some pretty convincing cases where they could argue that an obscure exploit can be disclosed and upgrade the digital security of the nation by 0.01% or they could hold onto it and use it to help prevent specific bad actors with big plans.
  So yes, while I'd like to think we're all above board and working towards a bright shiny future with full disclosure, I'm not sure that the charter for agencies running covert ops lists vulnerability disclosure as their operational mandate.
  
  --
  Warning: Teh poster of this messaeg is lysdexic
7. Re:Who's Responsibility? by thegarbz · 2017-03-08 03:12 · Score: 5, Informative
  
  Says the CIA on their about page under responsibilities of the director.
  Correlating and evaluating intelligence related to the national security and providing appropriate dissemination of such intelligence;
8. Re:Who's Responsibility? by Opportunist · 2017-03-08 03:27 · Score: 4, Insightful
  
  It's the CIAs job to protect Americans and keep them safe. Its job also includes protecting the US' trade secrets and commercial interests. And that by definition entails making sure that enemies of the US, be it military or economic, cannot abuse security problems that may affect US interests.
  In other words, yes, pointing those security flaws out to manufacturers and making sure that these flaws cannot be abused by enemies of the US and its assets is pretty much the definition of the CIA mandate.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
9. Re: Who's Responsibility? by chasm22 · 2017-03-08 03:50 · Score: 2
  
  And, in your mind, there will never be any problem deciding what is appropriate?
  It seems to me to be a typical document meant to cast an 'appropriate' image of an agency whose very nature makes it impossible to easily explain its actions.
  I find this action by Wikileaks to be disturbing by its timing. The contents shouldn't be a total surprise.
  There's been plenty of hints going back years. In 2003 we had OnStar versus the FBI. A couple of years ago Verizon tried to patent an invention that made your TV both a display and a video cam.
10. Re:Who's Responsibility? by gnick · 2017-03-08 03:50 · Score: 2
  
  Correlating and evaluating intelligence related to the national security and providing appropriate dissemination of such intelligence;
  
  The definition of the word "appropriate" makes all the difference in that statement. Is it "appropriate" to sacrifice capabilities in the name of improving the public's general digital security?
  
  --
  He's getting rather old, but he's a good mouse.
11. Re:Who's Responsibility? by Stephan+Schulz · 2017-03-08 04:03 · Score: 2
  
  I cannot resist. "In Soviet Russia, TV watches you." More seriously, it looks like 1984 was a documentary...
  
  --
  Stephan
12. Re: Who's Responsibility? by Impy+the+Impiuos+Imp · 2017-03-08 04:05 · Score: 3, Insightful
  
  Thb they would probably argue they are protecting the safety of US citizens by maintaining a spy capability. That is their job, not turning over those same vulnerabilities.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
13. Re:Who's Responsibility? by T.E.D. · 2017-03-08 04:11 · Score: 4, Interesting
  
  Correlating and evaluating intelligence related to the national security and providing appropriate dissemination of such intelligence;
  "intelligence" is government-speak for information they took from someone. If your desk safe has a factory combination that always works, that isn't "intelligence". The contents of what they found inside your safe when they used that combo is intelligence.
  So no, its not their job to warn US citizens if they are vulnerable domestically. That's called "domestic counter-intelligence", and is explicitly the FBI's job.
  Sure, it would be nice if the CIA did it anyway. But if that burns a method they are finding useful themselves to do things that ARE their job, I wouldn't hold my breath.
14. Re: Who's Responsibility? by Anonymous Coward · 2017-03-08 04:12 · Score: 4, Insightful
  
  The problem with not having this released by Wikileaks is that until now, the people who claimed this capability existed were labeled as paranoid conspiracy theorists. Same thing with Snowden's leaks. I saw a column in the USA Today just now that said Americans don't need to worry because the CIA doesn't spy on Americans. Utter crap. They give the tools to European agencies to spy on us in the USA and we spy on their citizens for them.
  National security does not justify whatever they want to do. They no longer fear prosecution because no one faced consequences after the Snowden leaks.
  Basically, if nothing happens now except a manhunt for the whistleblower, we are all freaking doomed.
15. Re: Who's Responsibility? by jafiwam · 2017-03-08 04:14 · Score: 2
  
  "Correlating and evaluating intelligence related to the national security.."
  Bobs hacked Samsung TV is not a national security issue. Its not the CIA's job to worry about the fact that someone could possibly compromise your smart phone revealing all your most sensitive dick picks. The CIA holds on to vulnerabilities like these to do little insignificant things like hacking the NK nuclear missile programs stalling a potential international conflict, hacking Iranian nuke programs, thwarting terrorist bombings by interception of communications, destabilizing foreign nations that are apposed to your existence, etc.. But I'm sure your dick pics should be their top priority.
  You forgot "Spy on opposition candidates"
16. Re:Who's Responsibility? by AmiMoJo · 2017-03-08 04:24 · Score: 4, Interesting
  
  They knew that Samsung TVs could be used to spy on people via their cameras and microphones. Samsung TVs are quite popular. It's likely that they are in sensitive places, like meeting rooms of US corporations, hospitals, newsrooms etc. And in all likelihood, the Russians and the Chinese and the Iranians and the North Koreans and GCHQ and many other intelligence agencies know all this too. I wouldn't be at all surprised if for-hire black hats knew as well.
  So the CIA has a choice. Sit on this information and use it to gather intel themselves, but leaving the US at severe risk, or publish and give up their capability but also deny it to their adversaries. They must have either decided that the intel was more valuable than the loss to US citizens and corporations, or more likely never even had this discussion.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
17. Re:Who's Responsibility? by unixisc · 2017-03-08 04:47 · Score: 2
  
  Actually, 1984 was an Oracle or Nostradamus prediction - only thing - happened to be off by 32 years
18. Re: Who's Responsibility? by leftCoaster · 2017-03-08 07:02 · Score: 2
  
  Suppose the general is abusing his son. Suppose he is discussing something with his mistress. Suppose the general is dressing up in his daughter's clothes. Knowing any of that could make him vulnerable to coercion. This leverage could be used to influence the general in subtle ways.
  One reason people objected to the collection of meta-data was that with sufficient, seemingly innocent, data it is possible to discern guilty behavior.
I don't agree by Anonymous Coward · 2017-03-08 02:46 · Score: 2, Informative

The NSA is supposed to help and disclose vulnerabilities to the US at the evry least, rather than exploit them. The CIA on the other hand has no such goal, and the sole reason to search vulnerabilities is to exploit them onto every other countries.
1. Re:I don't agree by SharpFang · 2017-03-08 02:53 · Score: 2
  
  "Let the USA burn to ashes, as long as we manage to destroy Russia in the process"?
  
  --
  45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
2. Re:I don't agree by Fire_Wraith · 2017-03-08 03:07 · Score: 5, Insightful
  
  You are incorrect. The NSA does have an explicit Information Assurance mission, but it also has an intelligence collection mission. Also, while the CIA does not have an explicit IA mission, its ultimate goal is the defense of the nation, which does not preclude issuing warnings about uncovered vulnerabilities.
  
  The problem is that they both have two conflicting goals when it comes to a discovered vulnerability, which can be used both by others to attack us, but also can be used by those agencies to gather intelligence. The term for it in the Intelligence Community is the "Equities Problem." This wasn't an issue in the past, because in the days of the Cold War for instance, the systems/codes/etc the Soviets were using were entirely different from American ones. Discovering a vulnerability in a Soviet cryptography system was only useful for intelligence gathering, whereas patching a vulnerability in an American cryptography system would not imperil our foreign intelligence collection activities.
  
  In today's world however, everyone basically uses the same systems. This presents a quandary for the three-letter-agency folks. Do we patch everything and shut off our ability to gain information, possibly missing key information about a future attack? Do we keep the vulnerabilities secret to enable more collection, knowing that one of those vulnerabilities will someday be used to attack us and that we could have prevented it? Do we somehow try and muddle through, knowing that we may wind up with the worst of both?
3. Re:I don't agree by tinkerton · 2017-03-08 03:42 · Score: 4, Insightful
  
  Seems there is another problem. Suppose you start from agencies with well defined responsibilities with their matching checks to control them(well, hypothetically, let's say 'better defined') The FBI is domestic but has its constraints. The NSA does hacking but has its constraints . The CIA does spying.
  Then if the CIA expands into the domestic front and into the hacking front without the constraints, (and the foreign intervention front as well, it could be said), you have a problem with unchecked power. The common response though is 'the CIA is defending us they don't need to be constrained.' Yeah right. The whole security apparatus has gotten completely out of hand.
CIA is a spy agency that breaks the law. by Anonymous Coward · 2017-03-08 02:46 · Score: 4, Interesting

The CIA doesn't have the interest of the American public. They're used to committing illegal acts to get things done. Look up Iran Contra.
1. Re: CIA is a spy agency that breaks the law. by Kkloe · 2017-03-08 02:54 · Score: 2
  
  It is called doing their job like any * dum dum dum * spy agency should do, maybe you have heard of such terms. If you have problems with how they do their job complain to their boss(es).
2. Re:CIA is a spy agency that breaks the law. by Archtech · 2017-03-08 03:29 · Score: 2
  
  Is there an equivalent of Godwin's Law for Israel and the Jews? Because there ought to be.
  
  --
  I am sure that there are many other solipsists out there.
3. Re:CIA is a spy agency that breaks the law. by unixisc · 2017-03-08 04:53 · Score: 2
  
  The CIA doesn't have the interest of the American public. They're used to committing illegal acts to get things done. Look up Iran Contra.
  Iran Contra was not a CIA operation: it was an NSC operation - Ollie North was an NSC guy.
  Anyway, right now, the various intel agencies are more dedicated to running a background government of their own, complete w/ their own foreign and defense policies. Which is why they're doing their utmost to undermine the president. Having tasted blood in the form of Lt Gen Flynn, they're now targeting Sessions and anyone else they perceive as a threat, so that they can get their own swamp nominees in.
That's not how it "should" work by phayes · 2017-03-08 02:55 · Score: 2, Interesting

Right, so when the CIA/NSA/whatever, uses a vulnerability that gives them access to information -- that it is their reason for existing, they should immediately turn the vulnerability over to the device manufacturer so that they will patch it.
Because these agencies exist and are financed to perform vulnerability testing for Apple/Google/Microsoft/HP/Dell/ZTE/Huawei/etc!?!?
Methinks that anyone that can say "that's not how it should work" with a straight face can only be a lawyer, habituated to defining truth as "whatever best serves me/my client".
We cannot be appalled by the lies of people like Trump and at the same time accept it when people who are say that they are defending us from his and other deceptions are also lying to us.
EFF, this does not help as it only gives Trump et all more ammunition.

--
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
1. Re:That's not how it "should" work by moeinvt · 2017-03-08 03:59 · Score: 3, Interesting
  
  Do they really "exist" to gather information, or is gathering information just one tactic that they use as part of a larger mission? I'd argue that the only reason for their existence, or the existence of government in general, is to serve The People. Don't they repeatedly justify their activities by the claim that they're doing us a service?
  Suggesting that the intelligence agencies exist purely for information gathering is the same as saying that the military exists purely to blow things up and kill people. They're good at doing that, but they do it in pursuit of a particular mission. "Invade and Occupy Iraq and find all the WMDs" for example.
  If the mission of the intelligence agencies is to serve The People who pay the taxes and from whom the government derives its just power, they are doing us a disservice because we're not only vulnerable to THEIR information gathering, but vulnerable to anyone else in the world who figures out how to exploit same vulnerabilities.
Old stuff by clovis · 2017-03-08 03:05 · Score: 4, Informative

It looks to me like the list of CIA hacking tools is a list of vulnerabilities that we already knew about and have been discusssing since forever, and it's hardly just the CIA that's been taking advantage of the environment.
And it also looks like a list of vulnerabilities that the vendors all know about and we've all been complaining about.
Soooo why exactly should the CIA tell Apple "we have an evil app that intercepts messages before encryption" when Apple and everyone else who's been paying attention already knows about these apps. Should the CIA have meetings with every half-assed IOT vendor to tell them that their device is a POS and hiw the CIA takes advantage when we and they all know this already?
Did CIA kill Mike Hastings by controlling his car? by schwit1 · 2017-03-08 03:09 · Score: 5, Interesting

Journalist Michael Hastings Was Investigating CIA Director John Brennan Before He Was Killed in Fiery Car Crash
http://www.news.com.au/finance...
This is why people fear Artificial Intelligence by SharpFang · 2017-03-08 03:10 · Score: 4, Insightful

So obsessed with the letter of the mission statement, that you forget its spirit. Subjects you were meant to serve become means, and disposable resources in achieving goals that no longer serve their purpose, as the cost outweighs benefits by way too much.
CIA was created to protect safety of USA citizens. It got specific goals and means by which it would serve in that mission, and focused on them so much the mission went entirely out of focus. Collateral damage is no longer considered an issue. No matter how much CIA hurts and weakens the USA, it considers the actions a success if the "enemy" (actual or potential) is weakened in the process.
It's silly to expect a spy agency to obey the law and play always fair. But whatever it does, no matter how nefarious and slimy, it should always put the good of its citizens first. And it's ridiculous to expect whatever they might have gained through holding to these exploits outweighs the losses of the public caused by the non-disclosure. CIA no longer serves USA. CIA just serves goals of CIA, and if means to these goals conflict with the good of USA, so be it, USA be damned.

--
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Not their job by jbrown.za · 2017-03-08 03:14 · Score: 4, Informative

Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.
The CIA's website says "CIA’s primary mission is to collect, analyze, evaluate, and disseminate foreign intelligence to the President and senior US government policymakers in making decisions relating to national security".

It seems pretty clear that they are focused on gathering information relating to US national security... it says nothing about protecting private individuals information. I can guess that they will claim to have weighed up the threat to private individuals vs the intelligence gathering advantages of not disclosing these vulnerabilities. I'm not saying I agree with this sentiment, but I don't think this exposes the CIA to the extent that the article suggests.
I call Bullshit by mandark1967 · 2017-03-08 03:14 · Score: 4, Informative

...Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.
Section 202 of the National Security Act of 1947 established the CIA, and nowhere in the charter does it state it's their responsibility to protect the privacy of Americans.

--
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
I disagree by Weaselmancer · 2017-03-08 03:28 · Score: 5, Insightful

It is the job of the CIA to collect intelligence. Central Intelligence Agency, right there in the name. It's not their job to post software patches.
I think what Cindy Cohn meant was "it would sure be nice if the CIA had let us know about the problems rather than keep them secret", and I agree that would have been awfully nice of them - but wanting the CIA to reveal tactical information that helps it do its job is silly.
They're a spy agency, folks. This is what spies do.

--
Weaselmancer
rediculous.
Re:The CIA is doing its job by Dissenter · 2017-03-08 03:58 · Score: 2

Saddly I have to agree. While in those fields of wildflowers, the ideal humanity has nothing but love and respect for its fellow human, but as long as that ideal exists, countries will continue to need security organizations like the CIA to keep an eye on those that dno not share those ideals. Until the entire world unilaterally accepts one another and the common good, there is a need for a defensive stance and that stance cannot support the altruistic ideas that most of us would love to adopt.
All of that said, the EFF does an outstanding job working to hold non-defense organizations accountable to their conumers and the self imposed privacy rules that they claim to hold so near and dear. I just wish that they would pick their battles a bit better rather than trying to fight everyone at once.

--
Dissenter
"There is no knowledge that is not power."
VEP doesn't mandate disclsoure by Registered+Coward+v2 · 2017-03-08 04:08 · Score: 3, Informative

The Vulnerabilities Equities Process doesn't have a mandate to disclosure, merely to determine if they should disclose or keep it for use. The EFF explains it:
EFF filed a lawsuit under the Freedom of Information Act in 2014 to get access to the government's "Vulnerability Equities Process" (VEP), the policy it uses to decide whether to disclose information about security vulnerabilities or instead withhold this information for its own purposes, including law enforcement, intelligence collection, and "offensive" exploitation.
EFF v. NSA, ODNI - Vulnerabilities FOIA"
The EFF has a heavily redacted copy of the policy the key statement in there is "When a decision is made to disseminate..."

--
I'm a consultant - I convert gibberish into cash-flow.
Re:Their job? by godrik · 2017-03-08 04:31 · Score: 4, Informative

Challenge accepted. In the last 10 years:
-Malala Yousafzai is a nobel peace prize winner and she is from pakistan. https://www.nobelprize.org/nob...
-Aziz Sancar was born and educated in turkey (difficult to tell whether he is of muslim faith or not, but he was probably at least raised in that culture) and is a chemistry nobel prize recipient.
-Maryam Mirzakhani was born and educated (up to bachelor) in Iran and received a Fields medal.
Re:yeah, be responsible, CIA! by bobbied · 2017-03-08 04:52 · Score: 2

Yea, in the addled minds of some posters They think the following statement is true: National security == Personal security
Sorry folks, that evaluates to false...
The CIA is charged with protecting National Security by gathering intelligence on foreign targets. They are NOT charged with protecting individual's personal security though their protection of the nation does protect the individual in some ways.

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
That is nice. Now what? by houghi · 2017-03-08 05:17 · Score: 3, Insightful

So they are guilty. The NSA are guilty. The FBI are guilty. The whole government is guilty. And all I see is a lot of people discussing it and no action taken.
If I as a kid stole a cookie and my mom told me of and I stole another one and still nothing happened, why would I stop stealing the cookies? They are great tasting cookies.
As long as there are no consequences, except for some whining, why would they NOT do it? You can discuss it among yourselves, but they do not care.

--
Don't fight for your country, if your country does not fight for you.
Why doesn't WikiLeaks publish Russian or Chinese.. by footNipple · 2017-03-08 05:19 · Score: 2

...intelligence documents? Just asking.