Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hey CIA, You Held On To Security Flaw Information -- But Now It's Out. That's Not How It Should Work (eff.org)

Posted by msmash on from the is-it-worth-the-sacrifice dept.

Cindy Cohn, writing for EFF: The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices -- including Android phones, iPhones, and Samsung televisions -- that millions of people around the world rely on. The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we're all made less safe by the CIA's decision to keep -- rather than ensure the patching of -- vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

23 of 246 comments (clear)

  1. Who's Responsibility? by ISoldat53 · · Score: 5, Insightful

    Is it the CIA's responsibility to point these out? How many "flaws" are intentional?

    1. Re:Who's Responsibility? by Anonymous Coward · · Score: 5, Insightful
      Did you not read the summary?

      Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

      It's their job.

    2. Re:Who's Responsibility? by goombah99 · · Score: 4, Insightful

      It's like how when the CIA discovers a Russian General has a secret to hide they never black mail him but immediately notify the Russian Authorities of their vulnerability.

      --
      Some drink at the fountain of knowledge. Others just gargle.
    3. Re:Who's Responsibility? by ThomasBHardy · · Score: 5, Interesting

      While I find the abusive techniques being reported as abhorrent as the next fellow, I would challenge the assertion that it's their job to disclose security issues.

      I'm not saying that they morally are not obligated. They are morally obligated to do so, in my personal opinion, to maintain the general fabric of security for the country.

      But I'm not so sure that they have a legal obligation to do so.

      There are some pretty convincing cases where they could argue that an obscure exploit can be disclosed and upgrade the digital security of the nation by 0.01% or they could hold onto it and use it to help prevent specific bad actors with big plans.

      So yes, while I'd like to think we're all above board and working towards a bright shiny future with full disclosure, I'm not sure that the charter for agencies running covert ops lists vulnerability disclosure as their operational mandate.

      --
      Warning: Teh poster of this messaeg is lysdexic
    4. Re:Who's Responsibility? by thegarbz · · Score: 5, Informative

      Says the CIA on their about page under responsibilities of the director.

      Correlating and evaluating intelligence related to the national security and providing appropriate dissemination of such intelligence;

    5. Re:Who's Responsibility? by Opportunist · · Score: 4, Insightful

      It's the CIAs job to protect Americans and keep them safe. Its job also includes protecting the US' trade secrets and commercial interests. And that by definition entails making sure that enemies of the US, be it military or economic, cannot abuse security problems that may affect US interests.

      In other words, yes, pointing those security flaws out to manufacturers and making sure that these flaws cannot be abused by enemies of the US and its assets is pretty much the definition of the CIA mandate.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re: Who's Responsibility? by Impy+the+Impiuos+Imp · · Score: 3, Insightful

      Thb they would probably argue they are protecting the safety of US citizens by maintaining a spy capability. That is their job, not turning over those same vulnerabilities.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    7. Re:Who's Responsibility? by T.E.D. · · Score: 4, Interesting

      Correlating and evaluating intelligence related to the national security and providing appropriate dissemination of such intelligence;

      "intelligence" is government-speak for information they took from someone. If your desk safe has a factory combination that always works, that isn't "intelligence". The contents of what they found inside your safe when they used that combo is intelligence.

      So no, its not their job to warn US citizens if they are vulnerable domestically. That's called "domestic counter-intelligence", and is explicitly the FBI's job.

      Sure, it would be nice if the CIA did it anyway. But if that burns a method they are finding useful themselves to do things that ARE their job, I wouldn't hold my breath.

    8. Re: Who's Responsibility? by Anonymous Coward · · Score: 4, Insightful

      The problem with not having this released by Wikileaks is that until now, the people who claimed this capability existed were labeled as paranoid conspiracy theorists. Same thing with Snowden's leaks. I saw a column in the USA Today just now that said Americans don't need to worry because the CIA doesn't spy on Americans. Utter crap. They give the tools to European agencies to spy on us in the USA and we spy on their citizens for them.
      National security does not justify whatever they want to do. They no longer fear prosecution because no one faced consequences after the Snowden leaks.
      Basically, if nothing happens now except a manhunt for the whistleblower, we are all freaking doomed.

    9. Re:Who's Responsibility? by AmiMoJo · · Score: 4, Interesting

      They knew that Samsung TVs could be used to spy on people via their cameras and microphones. Samsung TVs are quite popular. It's likely that they are in sensitive places, like meeting rooms of US corporations, hospitals, newsrooms etc. And in all likelihood, the Russians and the Chinese and the Iranians and the North Koreans and GCHQ and many other intelligence agencies know all this too. I wouldn't be at all surprised if for-hire black hats knew as well.

      So the CIA has a choice. Sit on this information and use it to gather intel themselves, but leaving the US at severe risk, or publish and give up their capability but also deny it to their adversaries. They must have either decided that the intel was more valuable than the loss to US citizens and corporations, or more likely never even had this discussion.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. CIA is a spy agency that breaks the law. by Anonymous Coward · · Score: 4, Interesting

    The CIA doesn't have the interest of the American public. They're used to committing illegal acts to get things done. Look up Iran Contra.

  3. Old stuff by clovis · · Score: 4, Informative

    It looks to me like the list of CIA hacking tools is a list of vulnerabilities that we already knew about and have been discusssing since forever, and it's hardly just the CIA that's been taking advantage of the environment.

    And it also looks like a list of vulnerabilities that the vendors all know about and we've all been complaining about.
    Soooo why exactly should the CIA tell Apple "we have an evil app that intercepts messages before encryption" when Apple and everyone else who's been paying attention already knows about these apps. Should the CIA have meetings with every half-assed IOT vendor to tell them that their device is a POS and hiw the CIA takes advantage when we and they all know this already?

  4. Re:I don't agree by Fire_Wraith · · Score: 5, Insightful

    You are incorrect. The NSA does have an explicit Information Assurance mission, but it also has an intelligence collection mission. Also, while the CIA does not have an explicit IA mission, its ultimate goal is the defense of the nation, which does not preclude issuing warnings about uncovered vulnerabilities.

    The problem is that they both have two conflicting goals when it comes to a discovered vulnerability, which can be used both by others to attack us, but also can be used by those agencies to gather intelligence. The term for it in the Intelligence Community is the "Equities Problem." This wasn't an issue in the past, because in the days of the Cold War for instance, the systems/codes/etc the Soviets were using were entirely different from American ones. Discovering a vulnerability in a Soviet cryptography system was only useful for intelligence gathering, whereas patching a vulnerability in an American cryptography system would not imperil our foreign intelligence collection activities.

    In today's world however, everyone basically uses the same systems. This presents a quandary for the three-letter-agency folks. Do we patch everything and shut off our ability to gain information, possibly missing key information about a future attack? Do we keep the vulnerabilities secret to enable more collection, knowing that one of those vulnerabilities will someday be used to attack us and that we could have prevented it? Do we somehow try and muddle through, knowing that we may wind up with the worst of both?

  5. Did CIA kill Mike Hastings by controlling his car? by schwit1 · · Score: 5, Interesting
    Journalist Michael Hastings Was Investigating CIA Director John Brennan Before He Was Killed in Fiery Car Crash

    http://www.news.com.au/finance...

  6. This is why people fear Artificial Intelligence by SharpFang · · Score: 4, Insightful

    So obsessed with the letter of the mission statement, that you forget its spirit. Subjects you were meant to serve become means, and disposable resources in achieving goals that no longer serve their purpose, as the cost outweighs benefits by way too much.

    CIA was created to protect safety of USA citizens. It got specific goals and means by which it would serve in that mission, and focused on them so much the mission went entirely out of focus. Collateral damage is no longer considered an issue. No matter how much CIA hurts and weakens the USA, it considers the actions a success if the "enemy" (actual or potential) is weakened in the process.

    It's silly to expect a spy agency to obey the law and play always fair. But whatever it does, no matter how nefarious and slimy, it should always put the good of its citizens first. And it's ridiculous to expect whatever they might have gained through holding to these exploits outweighs the losses of the public caused by the non-disclosure. CIA no longer serves USA. CIA just serves goals of CIA, and if means to these goals conflict with the good of USA, so be it, USA be damned.

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  7. Not their job by jbrown.za · · Score: 4, Informative

    Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

    The CIA's website says "CIA’s primary mission is to collect, analyze, evaluate, and disseminate foreign intelligence to the President and senior US government policymakers in making decisions relating to national security".

    It seems pretty clear that they are focused on gathering information relating to US national security... it says nothing about protecting private individuals information. I can guess that they will claim to have weighed up the threat to private individuals vs the intelligence gathering advantages of not disclosing these vulnerabilities. I'm not saying I agree with this sentiment, but I don't think this exposes the CIA to the extent that the article suggests.

  8. I call Bullshit by mandark1967 · · Score: 4, Informative

    ...Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

    Section 202 of the National Security Act of 1947 established the CIA, and nowhere in the charter does it state it's their responsibility to protect the privacy of Americans.

    --
    Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
  9. I disagree by Weaselmancer · · Score: 5, Insightful

    It is the job of the CIA to collect intelligence. Central Intelligence Agency, right there in the name. It's not their job to post software patches.

    I think what Cindy Cohn meant was "it would sure be nice if the CIA had let us know about the problems rather than keep them secret", and I agree that would have been awfully nice of them - but wanting the CIA to reveal tactical information that helps it do its job is silly.

    They're a spy agency, folks. This is what spies do.

    --
    Weaselmancer
    rediculous.
  10. Re:I don't agree by tinkerton · · Score: 4, Insightful

    Seems there is another problem. Suppose you start from agencies with well defined responsibilities with their matching checks to control them(well, hypothetically, let's say 'better defined') The FBI is domestic but has its constraints. The NSA does hacking but has its constraints . The CIA does spying.
    Then if the CIA expands into the domestic front and into the hacking front without the constraints, (and the foreign intervention front as well, it could be said), you have a problem with unchecked power. The common response though is 'the CIA is defending us they don't need to be constrained.' Yeah right. The whole security apparatus has gotten completely out of hand.

  11. Re:That's not how it "should" work by moeinvt · · Score: 3, Interesting

    Do they really "exist" to gather information, or is gathering information just one tactic that they use as part of a larger mission? I'd argue that the only reason for their existence, or the existence of government in general, is to serve The People. Don't they repeatedly justify their activities by the claim that they're doing us a service?

    Suggesting that the intelligence agencies exist purely for information gathering is the same as saying that the military exists purely to blow things up and kill people. They're good at doing that, but they do it in pursuit of a particular mission. "Invade and Occupy Iraq and find all the WMDs" for example.

    If the mission of the intelligence agencies is to serve The People who pay the taxes and from whom the government derives its just power, they are doing us a disservice because we're not only vulnerable to THEIR information gathering, but vulnerable to anyone else in the world who figures out how to exploit same vulnerabilities.

  12. VEP doesn't mandate disclsoure by Registered+Coward+v2 · · Score: 3, Informative

    The Vulnerabilities Equities Process doesn't have a mandate to disclosure, merely to determine if they should disclose or keep it for use. The EFF explains it:

    EFF filed a lawsuit under the Freedom of Information Act in 2014 to get access to the government's "Vulnerability Equities Process" (VEP), the policy it uses to decide whether to disclose information about security vulnerabilities or instead withhold this information for its own purposes, including law enforcement, intelligence collection, and "offensive" exploitation.

    EFF v. NSA, ODNI - Vulnerabilities FOIA"

    The EFF has a heavily redacted copy of the policy the key statement in there is "When a decision is made to disseminate..."

    --
    I'm a consultant - I convert gibberish into cash-flow.
  13. Re:Their job? by godrik · · Score: 4, Informative

    Challenge accepted. In the last 10 years:
    -Malala Yousafzai is a nobel peace prize winner and she is from pakistan. https://www.nobelprize.org/nob...
    -Aziz Sancar was born and educated in turkey (difficult to tell whether he is of muslim faith or not, but he was probably at least raised in that culture) and is a chemistry nobel prize recipient.
    -Maryam Mirzakhani was born and educated (up to bachelor) in Iran and received a Fields medal.

  14. That is nice. Now what? by houghi · · Score: 3, Insightful

    So they are guilty. The NSA are guilty. The FBI are guilty. The whole government is guilty. And all I see is a lot of people discussing it and no action taken.

    If I as a kid stole a cookie and my mom told me of and I stole another one and still nothing happened, why would I stop stealing the cookies? They are great tasting cookies.

    As long as there are no consequences, except for some whining, why would they NOT do it? You can discuss it among yourselves, but they do not care.

    --
    Don't fight for your country, if your country does not fight for you.