Slashdot Mirror
WikiLeaks Won't Tell Tech Companies How To Patch CIA Zero-Days Until Demands Are Met (fortune.com)
"WikiLeaks has made initial contact with us via secure@microsoft.com," a Microsoft spokesperson told Motherboard -- but then things apparently stalled. An anonymous reader quotes Fortune:
Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security "zero days" and other surveillance methods in the possession of the Central Intelligence Agency... Wikileaks' demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard's sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions.
Julian Assange announced Friday that Mozilla had already received information after agreeing to their "industry standard responsible disclosure plan," then added that "most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA." Assange suggested users "may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves."
Julian Assange announced Friday that Mozilla had already received information after agreeing to their "industry standard responsible disclosure plan," then added that "most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA." Assange suggested users "may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves."
This is extortion. It's one thing to disclose leaked information to expose corruption, which is something good journalists do. However, journalism doesn't involve using leaked information as leverage to make demands. That is called extortion or blackmail. Wikileaks has shown that, at best, it's a criminal organization. I'm dismayed that so many people at Slashdot always rush to defend Wikileaks and Julian Assange in articles like these. It says a lot about the complete lack of character of most of the users on this site, which is also why there is so much tech-related crime. All of you should he ashamed of yourselves.
n/t
I was not aware that prioritizing customers over government contracts was a practice that only European companies were capable of. Doesn't having government contracts mean that the government is your customer? How exactly is that supposed to work? Maybe Assange meant to say "may prefer organizations such as Mozilla or European companies that prioritize their users over United States government contracts."
Assange fighting to stay relevant by any means possible. News at 11.
#DeleteChrome
For all we know, the CIA might have written deliberate vulnerabilities to be patched into production code. Either that, or maybe they bullied software companies into ignoring certain vulnerabilities that would otherwise be fixed. Considering how many tech companies have been enlisted by big-government and how many cover stories have been busted, nothing can surprise me anymore.
Don't let your nationalism blinds you.
They are in a position of inferior power towards the US gov. That's why they are in such defensive position.
And the news here are: "the us gov. is ACTUALLY spying on you and wikileaks knows how it is doing."
Micro$oft is in bed with the 3&4 letter agencies?
What the hell?
Why doesn't wikileaks publish the terms for everyone to see?
Are they waiting for someone to leak them?
Seems really hypocritical of them.
BYERS: And, Mulder, listen to this. Vladmir Zhirinovsky, the leader of the Russian Social Democrats? He’s being put into power by the most heinous and evil force of the 20th century.
...
...
...
MULDER: Barney?
BYERS: The C.I.A.
BYERS: You don’t believe that the C.I.A., threatened by a loss of power and funding because of the collapse of the cold war, wouldn’t dream of having the old enemy back?
SCULLY: I think you give the government too much credit.
BYERS: I’m not talking about the bunch of idiots up on the hill trying to bone the capital pages. We’re talking about a dark network, a government within a government, controlling our every move.
SCULLY: How can they do that?
BYERS: How? I’ll show you how. You got a twenty dollar bill?
(Mulder laughs. Scully looks back at him. Byers pulls out the magnetic anti-counterfeiting strip.)
BYERS: That’s just one method. They use this magnetic strip to track you. Whenever you go through a metal detector at an airport, they know exactly how much you’re carrying.
I miss being able to say all of this was "just TV".
simply can't commit to timelines. Most of my friends that worked there have either been laid off or quit due to ridiculous hours or vacation inequality, so their best programmers are no longer there. They simply can't fix problems in a timely manner any longer.
That doesnt make sense. A vulnerability is "new" depending on who you are. Typically they are called "new" when a public disclosure is made. Of course whoever discovered it already knew about it before the disclosure (you understand why, right?) so at that time it is no longer new to them.
If you are asking how many of these are new to the govt , the fact that they are in leaked docentry already answers your question - they are not new to the govt.
If you are asking how many of the are new to blackhats outside the govt , we don't care , because they don't disclose either. And it dosent matter whether it's a govt or non govt blackhat. Either way they are out to get you.
Bet there are companies that aren't even aware of it. They just employ programmers, one of which happens to be awesome at the "underhanded-c" contest....
subtle
I see it this way. A vulnerability is found and an exploit is written. As time passes several things happen. The exploit gets distributed because of outsourcing and after a while there really are a lot of people who know about it. Other people also find out about the vulnerability. Some day software maker finds out and the bug is no longer zero day but the exploit will still work on unpatched systems so it sticks around until something much better replaces it.
As for the software company itself,I suspect most companies just take it as it comes. If they find out about a zero day bug they fix it and the CIA keeps silent. For some critical companies it may be different and the CIA may try to negotiate something, claiming nobody else will find out, or making an offer one cannot refuse. But knowing about a bug and not fixing it is complicated. It's not something you want people to find out and chances are they will. Knowing there is a bug but not investing in finding out is a bit easier. One only has limited resources.
The world will make a lot more sense when you realize it's possible for both sides to be bad. Comparative ethics is not a zero sum game.
Wikileaks' intent to provide an outlet for whistle blowers to uncover corruption in various governments and and corporations had a lot of merit. Unfortunately the very model of "we don't care where it came from, we just post it" is its undoing. It didn't take long for governments to figure out if you can destroy it, use it.
They thought they could turn over the chess board, but they're just another pawn.
Heard this lie before from you dude. Why are you trying so hard?
Fuck Wikileaks. I initially supported what they were trying to do, but they've proven to be complete assholes.
I don't respond to AC's.
I don't expect Wikileaks to be saintly and I think it's not necessary for them to be above all criticism in order to be valuable. Checks and balances are important because there is no good guy that you can trust with too much power. And Wikileaks both has value in it, and is one of the guys you can't trust with too much power.
That doesn't mean I believe the criticism about Wikileaks. That's just a giant and very successful FUD campaign.
For instance I disagree that they're being manipulated by Russia, there is no proof for it so why believe the claim?
The article above is just part of it. Wikileaks is asking the companies to sign something. That must be bad! Just look at all the posts on here. No, that doesn't have to be bad. It can be about wikileaks being paranoid about their action being used against them somehow. It can be about requiring the company to commit to actually fixing the bug within a certain period.It could be a mediocre decision by Wikileaks. That would still not be reason to make a big fuss about it.
> The article above is just part of it. Wikileaks is asking the companies to sign something. That must be bad!
All wikileaks has to do is publish these terms they expect the companies to sign.
Seriously, why the hell aren't they doing that? If wikileaks is only doing the right thing then there is no reason not to publish it.
Its fucking weird. You can't blame people for thinking its fucking weird.
https://it.slashdot.org/story/16/12/13/053243/pwc-sends-legal-threats-to-researchers-who-found-critical-security-flaw
https://it.slashdot.org/story/11/10/14/2129228/security-researcher-threatened-with-vulnerability-repair-bill
https://yro.slashdot.org/story/05/01/11/0129228/security-researcher-faces-jail-for-finding-bugs
https://it.slashdot.org/story/15/05/05/2335223/cyberlock-lawyers-threaten-security-researcher-over-vulnerability-disclosure
Seriously, man, it took me like 4 seconds to type "security researcher sued site:slashdot.org" into Google.
You can't blame people for being gullible either. What you're saying is what wikileaks is guilty of something until proven otherwise. That what they're doing is very suspicious because they're obviously bad guys. Wikileaks is communicating with many companies. Some of them collaborate with governments and deliberately leave security gaps open. It's a tricky environment to work in and there will be lawyers involved all the time. You can just as well say that if Wikileaks is doing something nasty some of the companies will expose the communication.
A few 100 to 10's per year per product cycle? It depends on the average price and the clandestine budget for buying on the open market per year.
Say a budget range for a good exclusive deal per zero day for a new OS or device in the 100 of apps/code/access products?
Thats the positive side that still looks corporate. Its hard to tell who is buying in the mix of buyers globally.
A flood of gov/mil cash in the wild would stand out even with a lot of US/UK front companies every y ear doing the malware buying.
The negative side ensuring no US or UK brand has the skills to find the issue and fix the issue days or months later.
If the security services buy too much in the wild, too many people start to notice and others want that payment or try to follow the payment front.
Other teams then start looking for the funding and find payment methods, staging servers. So the numbers are kept low per year to hide the mil/gov origins.
Also to avoid the better AV efforts and other security professionals from reading chat about too many big new cash payments.
Some are networked, some need a human to place the malware and collect the results.
A lot of different products are needed but too much and its detected by a wider community interested in every aspect of computer security.
Domestic spying is now "Benign Information Gathering"
> That what they're doing is very suspicious because they're obviously bad guys
Stop projecting.
I'm saying why the hell is a transparency organization keeping a secret that shouldn't even be a secret. It isn't like they are a company negotiating for leverage against other companies to maximize a profit.. There is no value in keeping these "industry standard" terms a secret. Especiallyif they really are "industry standard." Just post them already.
And if there is a value in keeping them secret, then explain what the value is so randos on the internet don't have make up rationalizations for you.
If they're not they will be. It's bloody trivial for a government to gather damning info on another country, leak it to wikileaks and wait for them to get all the flak.
I never brought up Russia though I understand why you'd assume I was talking about them. The US, Russia, China, literally any country or any organization can selectively leak info on competitors if they haven't figured out they can do this (and I'm sure they have) then they will.
It's trivial to manipulate Wikileaks by only leaking the narrative you want told.
I did indeed assume you were thinking of Russia.
It's not trivial to fool Wikileaks, but it's likely that it will happen to some extent(as in being fooled by the source but not by the data). Wikileaks is good at protecting the source but I'm not sure why someone who can defend himself wants to pass through wikileaks if the info is valid. Will it make a big difference compared to publishing through another channel?
The main worry of Wikileaks is that they get fed bad info in order to damage their credibility. There surely will be attempts at that. As they get strained more under the constant siege it is possible they may start making serious mistakes and errors of judgements. That's a plausible outcome. But then they're publishing false info and then it's likely others find out.
Wikileaks is good. Assage is an assclown and the organization would be better off without him.
what?!
so we have:
- one company that cares about the users and patch a security bug as fast as it can.
- another that knows about a hole, but as it being used by some security agency, they do nothing for months, so that those agencies can still exploit the bugs (and who knows who else is also abusing the holes) until the agency have another zero day hole and the company can finally fix that bug, while still keeping other bugs "open"
Security fixes delays is not about "regressions", is about how companies work, how important security is for them and the real interest in fixing the problems.
The are bugs that are hard to fix and may create regressions, but most of then are simple missing checks or bad code that be fixed in a few days. half a year delay like MS sometimes do are other problems...
Higuita
While i agree this is a weakness of their system, the problems with them (basically just him now, tbh) go a lot deeper.
One of those problems is that these things they're trying to leverage are almost certainly not as important as they have claimed, they don't have anyone capable of assessing the impact internally... but also they're trying to apply leverage in the first place on stuff that is already industry standard, specifically (it appears) to paint these companies as irresponsible while simultaneously using the same vulnerability submission system already used by security researchers.
The fact that in merit of all this, this is effectively just another brand building exercise is also a problem.
Nope, this is not extortion nor blackmail, it is really trying to get a fix quickly and not letting companies screw their costumers, either by being lazy or by security agencies pressure
If a company gets the bug report and then do not do anything for one year, what wikileaks can do ? release the info before the fix or wait more? either way, it is already too much time for a security bug that is being abused and in the end the info will be public with no one protected and in the end, it will always be wikileaks fault.
better way is to agree the terms of the disclosure, putting hard limits for the fixes timelines. This pressures the company to follow the agreed timeline and release a fix. If they fulfill, everyone wins, if they fail, wikileaks can pressure for the update and depending of the reason for the delay, they can release the info without patch and report that the company failed with the agreement. this proves that wikileaks tried to follow the rules and the fault for the problem is the company.
I think this is totally logic, MS, Oracle and many other companies do not care about security or take way too long to release fixes... as as the article hints, security agencies can pressure to keep the holes open. With a agreement, everyone knows what will happen and the end user will win. Without any agreement, just sending the info to the companies, those bugs could be open for months, being exploit by unknowns and everyone losed.
Just check the security reports, most of then are fixed in a few days, so asking for a date limit is a good thing... as you also find security fixes that took way to long to be fixed
Higuita
Assange saying Mozilla cares about their users? That's rich. If Mozilla cared at all about it's users, then why do they do everything possible to fuck up the browser and hurt their users?
The real question is, if Mozilla has "already received" this information, why would they not share it with the other browser developers in the name of security?
Is one of Wikileaks' terms that they not disclose "secret information"? That would be pretty fucking hypocritical...
And if there is a value in keeping them secret, then explain what the value is so randos on the internet don't have make up rationalizations for you.
I'll keep this simple.
An entity (WL, a security researcher, whatever) discovers major unpatched mainstream software/OS vulnerabilities. Should the entity simply release the details publicly and let the bad actors have a field day while the software makers scramble to push out a fix before more damage is done, or would it be more responsible to first try to get the software/OS makers to committing to patching the vulnerabilities before releasing the details publicly?
Seeing as this behavior (attempting to avoid damage from publicly releasing the vulnerability details before they're patched) regarding the WL proposed release aligns fairly closely with responsible vulnerability disclosure practices among network security experts, Occam's Razor would suggest this is the more likely explanation.
Don't pay attention to the flood of government psy-op posts. It's pretty well become SOP for any article involving news/data critical of and/or exposing overreaching US intelligence.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
Have you ever worked in IT? or gone to college because Firefox Is the browser of choice.
Always.
Sorry Google Chrome fans.
Got any proof of that?
hi we'd lie to talk to you about your net use
Seems this is being twisted back on wikileaks, when it should be purely focuses on the WITTING PARTNERS OF THE CIA'S HACKING ACTIVITIES.
Ignore the trolls and misinfo agents.
Welcome to Slashdot, where the snark flows so thickly that no matter what Mozilla does, it's always bad (or at best pointless).
And then Mozilla focuses on people who do appreciate their work instead of Slashdot, and Slashdot throws a temper tantrum.
They may be requirements for "responsible disclosure", breech of which would cause their sources to dry up, just like journalists don't blab early from confidential sources to protect their source from being easily tracked.
Then if it goes on, it simply forces everyone to air everything they know about everyone.
Somehow this seems bad to a lot of posters here.
Notice how absolutely nothing is being leaked against Russia. It's all just unsubstantiated rumors.
I beg you to point me to anything like evidence, as I would be glad to absolve my fellows of my judgement of their ignorance.
Your entire response is a non-sequitur. Its weird you put in so much effort typing it but zero effort into understanding the post you responded to.
You completely failed to address the question: If it is "industry standard" then why won't they publish it? The effort required to publish it is trivial. I have not postulated any nefarious motives. I am saying they are the root cause of any conspiracy ftantasies about their actions and not only could they easily dispel them, they ought to make this info public as a matter of course because they are the guys who are into radical transparency.
Don't pay attention to the flood of government psy-op posts. It's pretty well become SOP for any article involving news/data critical of and/or exposing overreaching US intelligence.
Oh jesus, I feel like I am trapped in the middle of a fight between dueling conspiracy fantasists.
It's clear that the terms aren't unreasonable and likely for the common good if the only not-for-profit (Mozilla) has already agreed to the conditions
If it is "industry standard" then why won't they publish it?
Reading comprehension, much?
From my post:
Seeing as this behavior (attempting to avoid damage from publicly releasing the vulnerability details before they're patched) regarding the WL proposed release aligns fairly closely with responsible vulnerability disclosure practices among network security experts...
*Not* releasing the vulnerabilities straight away without at least a good-faith attempt to allow those who can patch the vulnerabilities the opportunity to take action before the vulnerabilities are released is the standard.
Try reading *all* the way through a post you want to respond to. It will save you further embarrassment in the future.
Oh jesus, I feel like I am trapped in the middle of a fight between dueling conspiracy fantasists.
The old restrictions against US government use of propaganda domestically against US citizens no longer exists. That US TLAs use shills and sockpuppets on various social media platforms and forums is old news.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
So that's why its marketshare is only in teens?
If they're not they will be. It's bloody trivial for a government to gather damning info on another country, leak it to wikileaks and wait for them to get all the flak.
Yeah, right. So where's the leak of the dirty laundry for Russia and China's massive hoarding of zero-days? Or NK or Iran? It's bloody trivial, right? Right?
We talk about leaked classified material that remains classified. Does it qualify as a federal crime to accept it?
They don't even deserve that consideration.
*Not* releasing the vulnerabilities straight away without at least a good-faith attempt to allow those who can patch the vulnerabilities the opportunity to take action before the vulnerabilities are released is the standard.
You keep repeating this non-sequitur, why?
Here I will say it louder so you can here me better: IT HAS NOTHING TO DO WITH THE DETAILS OF VULNERABILITIES
The old restrictions against US government use of propaganda domestically against US citizens no longer exists.
The fact that you believe that the CIA is here in this dinky-ass little story on this vastly diminished site that nobody pays attention to anymore is why you are a conspiracy fantasist. You have a delusional belief in the importance of anybody here being manipulated.
It's well below that, especially if you count mobile web users, too. Generous estimates put Firefox's share at about 7%. It's likely lower than that, though. There's a good chance you could count Firefox's market share percentage using the fingers on one hand.
A deadline is very necessary in order to prevent circumvention of fixes. Example, it took Google until December of 2016 to release Dirty Cow fixes for Android users. Why? Because a vulnerability patch by intelligence viewpoint means loosing a tool. Just a theory, but I blame the election and wanting to monitor voter chatter. A deadline prevents things like this. Also, for companies that act like they love open source so much, they shouldn't have any trouble caring about their users over profits or have an issue with vulnerabilities and proposed fixes being publicly posted. People that see this as extortion may be for a shock when experienced and responsible programmers look at the vulnerabilities and realize that they may be intentional, either for personal stats gathering or government back scratching.
Because it wouldn't help anything. Mozilla would only have received information about security flaws in their products and since Firefox uses it's own rendering engine rather than being yet another Chromium fork (at least for the moment) there is nothing in there that would help other companies.
Why would Mozilla tell other browser developers about problems with Mozilla?
There's a good chance you could count Firefox's market share percentage using the fingers on one hand.
That's hardly surprising, I can count to nearly a 1/3 market share with the fingers on one hand.
> if the info is valid.
Half-truths are still lies.
In fact half-truths are better lies because the part you do know is true.
Its the part you don't know that matters but without proof you can't be sure.
You are exactly right and also seem to be describing a wonderful world where all the government secrets are out and the populace has all the info they need to ensure that their own governments are living up to their standards. Assange would in fact win his crusade if governments started leaking real info about eachother to news organizations.
Correction: Wikileaks wouldn't even be there without him.
"Trump!!", the new Godwin.
Did it hurt ? Did you lose some fingers? Try with the other hand, you'll get more finger marketshare !
For me, the fingers on one hand have 50% market share over all my fingers, regardless of which hand i use.
aaaaaaa
What ?
Revealing security flaws in a responsible manner is extorsion ?
aaaaaaa
Given how they've acted towards everything else on this planet, chances are it's the CIA going "you claim it was patched without a single change within the code or your children die in jail with you"
Actually it is quite possible to be critical about Wikileaks having demands. In principle at least. In practice Wikileaks is being smeared and attacked all day long and if they do not correspond to the highest standards they are regarded as evil. That is not realistic,Wikileaks can be very valuable even if it is very flawed. There are plenty of flaws around with the other players as well but for some reason other standards apply there.
What I would regard as sensible critique is that Wikileaks should try and stick to its core task: being the first step for whistleblowers to reach the public. They should try to limit their responsibility to that. To the extent possible they should avoid publishing themselves. It can be a plan B, but plan A, passing through journalism, should not be dropped even if it is problematic . They can release bugs to companies but don't necessarily have to take on responsibility for the bugs being fixed. So I think Assange is overstretching there. But that doesn't make him bad. It's more a disagreement about strategy.
IT HAS NOTHING TO DO WITH THE DETAILS OF VULNERABILITIES
No matter how much you scream & shout, it has everything to do with the details of the vulnerabilities. The whole debate is about whether WL should simply publish the details or should they try to somehow assure, to the best of their ability and within reason, that before the details are published that the vulnerabilities are patched.
The problem is that many of the various software makers in question have contracts and/or agreements with the government and are already quite aware of many of the vulnerabilities. In some cases it's likely they were the ones that put them and/or left them there deliberately at government request.
Trying to secure written and binding assurances that the vulnerabilities will be patched before publication is only rational and logical, and also demonstrably far more conscientious of the public's security and safety than the software makers and the US government.
If the software makers and/or the US government refuses to address the vulnerabilities in a reasonable time and manner, then WL will have no choice but to simply publish the vulnerabilities and their details. Any negative consequences from that point forward from the vulnerabilities being exploited in the wild are solely the responsibility of those software makers and the US government.
As for the rest of your post, you suffer from normalcy bias. It's quite common and encouraged in the current climate. Try being better-read and informed. It's the only way people can keep their privacy and freedom. Those things *can* go away far easier and faster than you might think if the people do not fulfill their responsibilities to stay informed and educate themselves in history as well as current events.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
Anyone able to explain why these agreements/demands are SECRET? There should be ("industry standard"?) nothing stopping WL from publishing them. In the interest of transparancy.
When the copyright term is "forever minus a day", live every day like it's the last.
Heard this lie before from you dude. Why are you trying so hard?
Well, who do you think Microsoft is firing?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
For all we know, M$ and others may have written the code in the first place.
...and Governments/People have now realised that Wikileaks will publish anything they are given no questions on sources asked, as long as they can verify it is real ...and Governments have huge resources to make things look genuine
Puteulanus fenestra mortis
Wikileaks is now holding information hostage with demands? This shows more than ever before who Julian Assange really is. He is not a hero who helps to release valuable information to the world. He uses whatever he has for his own gains. If I had some government secrets that I thought should be public, he is the last guy I would turn to. I hope they kick him out of the embassy he calls home and feed him to the wolves.
More proof that wikileaks is a terrorist organization looking to expand it's own pro-authoritarian pro-Putin influence and ensure they have all the backdoors they need to get juicy kompromat for idiotic Americans
For instance I disagree that they're being manipulated by Russia, there is no proof for it so why believe the claim?
You're joking, right?
Or anyway those who don't have a simplistic, easily-probed agreement or other conflict of interest with classified U.S. three-letter agencies. This criteria changes exactly nothing.
Beware the false prophets. Ineffective activism is exactly equivalent to doing nothing at all.
Of course they have "demands", that's the only way Assange can claim credit for being a "hero". Otherwise they'd just disclose them to the vendor and say they are going public in 90 days like everyone else does. No, instead Julian wants to play act that he's strong-arming "government contracts"
The sooner people figure out that wikileaks is just ego masturbation for Assange the better off we'll be.
they leak govt secrets then have secret demands -this is called the pot calling the kettle black
Or are you assuming it?
And a quick look will show you that WL have posted dirty laundry of both China and Russia. But they haven't recently and this by default would be presumed because they have nothing. If you know this is wrong, where is your evidence of this stuff?
The WikiLeakies need to grow up. John Young may be a class-A curmudgeon (I've been on the wrong side of his disgruntlement myself), but Cryptome has been doing this since long before Assange was a gleam in the media's eye, and behaving like a site run by adults in the process.
There are far too many self-important glory-hounds associated with WikiLeaks (starting, of course, with the Fugitive himself). The organization has certainly done good in disclosing some important materials, but is all too easily distracted from its ostensible core mission.
Withholding 0-days from vendors is bad, regardless of whether it's the CIA or WikiLeaks that does it.
It's clear that the terms aren't unreasonable and likely for the common good if the only not-for-profit (Mozilla) has already agreed to the conditions
Are you sure they're offering the same terms to everyone? I'm not, particularly when said terms are apparently secret (rather funny, for a "transparency über Alles" group of people...or rather, group of people who pay lip-service to said philosophy, but only apply it against certain nations, when they feel like it).
WikiLeaks is no bettaer than the revenge porn creeps who target innocent people and businesses with threats of exposure or fake smear csmpaigns calling someone a whore or a child molestor. Assange is like the politicians since he himself is trying to gain power over others regardless of the damage and pain he inglicts on others.
Assange has been evil ever since he asked Amnesty International and other similar groups for $700,000 to remove names of Afghan civilians who might get killed by the Taliban if their names get released on Wikileaks.
In my mind, he's no longer one of the good guys, even if he is releasing interesting information.
... Strat
We appreciate you contribution to the discussion, but please don't feed the trolls. It only clutters up the thread. ;-)
Wikileaks isn't obligated to fix your 0days for you. If you don't want the help, just do it yourself.
Because it's open source?
How do you know? It's entirely possible that the same vulnerabilities exist in different software doing very similar things. How do you know it's in the rendering engine and not one of the common libraries they use, etc? You don't, because no one has made the exploits available to you.
AFAIK, that info is a rumor, probably spread to make wikileaks look bad
yes, they released docs with names, they said they should have been more careful, but i never saw any real news about that money, only random forum posts
Higuita