Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hey CIA, You Held On To Security Flaw Information -- But Now It's Out. That's Not How It Should Work (eff.org)

Posted by msmash on from the is-it-worth-the-sacrifice dept.

Cindy Cohn, writing for EFF: The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices -- including Android phones, iPhones, and Samsung televisions -- that millions of people around the world rely on. The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we're all made less safe by the CIA's decision to keep -- rather than ensure the patching of -- vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

7 of 246 comments (clear)

  1. Who's Responsibility? by ISoldat53 · · Score: 5, Insightful

    Is it the CIA's responsibility to point these out? How many "flaws" are intentional?

    1. Re:Who's Responsibility? by Anonymous Coward · · Score: 5, Insightful
      Did you not read the summary?

      Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

      It's their job.

    2. Re:Who's Responsibility? by ThomasBHardy · · Score: 5, Interesting

      While I find the abusive techniques being reported as abhorrent as the next fellow, I would challenge the assertion that it's their job to disclose security issues.

      I'm not saying that they morally are not obligated. They are morally obligated to do so, in my personal opinion, to maintain the general fabric of security for the country.

      But I'm not so sure that they have a legal obligation to do so.

      There are some pretty convincing cases where they could argue that an obscure exploit can be disclosed and upgrade the digital security of the nation by 0.01% or they could hold onto it and use it to help prevent specific bad actors with big plans.

      So yes, while I'd like to think we're all above board and working towards a bright shiny future with full disclosure, I'm not sure that the charter for agencies running covert ops lists vulnerability disclosure as their operational mandate.

      --
      Warning: Teh poster of this messaeg is lysdexic
    3. Re:Who's Responsibility? by thegarbz · · Score: 5, Informative

      Says the CIA on their about page under responsibilities of the director.

      Correlating and evaluating intelligence related to the national security and providing appropriate dissemination of such intelligence;

  2. Re:I don't agree by Fire_Wraith · · Score: 5, Insightful

    You are incorrect. The NSA does have an explicit Information Assurance mission, but it also has an intelligence collection mission. Also, while the CIA does not have an explicit IA mission, its ultimate goal is the defense of the nation, which does not preclude issuing warnings about uncovered vulnerabilities.

    The problem is that they both have two conflicting goals when it comes to a discovered vulnerability, which can be used both by others to attack us, but also can be used by those agencies to gather intelligence. The term for it in the Intelligence Community is the "Equities Problem." This wasn't an issue in the past, because in the days of the Cold War for instance, the systems/codes/etc the Soviets were using were entirely different from American ones. Discovering a vulnerability in a Soviet cryptography system was only useful for intelligence gathering, whereas patching a vulnerability in an American cryptography system would not imperil our foreign intelligence collection activities.

    In today's world however, everyone basically uses the same systems. This presents a quandary for the three-letter-agency folks. Do we patch everything and shut off our ability to gain information, possibly missing key information about a future attack? Do we keep the vulnerabilities secret to enable more collection, knowing that one of those vulnerabilities will someday be used to attack us and that we could have prevented it? Do we somehow try and muddle through, knowing that we may wind up with the worst of both?

  3. Did CIA kill Mike Hastings by controlling his car? by schwit1 · · Score: 5, Interesting
    Journalist Michael Hastings Was Investigating CIA Director John Brennan Before He Was Killed in Fiery Car Crash

    http://www.news.com.au/finance...

  4. I disagree by Weaselmancer · · Score: 5, Insightful

    It is the job of the CIA to collect intelligence. Central Intelligence Agency, right there in the name. It's not their job to post software patches.

    I think what Cindy Cohn meant was "it would sure be nice if the CIA had let us know about the problems rather than keep them secret", and I agree that would have been awfully nice of them - but wanting the CIA to reveal tactical information that helps it do its job is silly.

    They're a spy agency, folks. This is what spies do.

    --
    Weaselmancer
    rediculous.