Slashdot Mirror
WikiLeaks Won't Tell Tech Companies How To Patch CIA Zero-Days Until Demands Are Met (fortune.com)
"WikiLeaks has made initial contact with us via secure@microsoft.com," a Microsoft spokesperson told Motherboard -- but then things apparently stalled. An anonymous reader quotes Fortune:
Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security "zero days" and other surveillance methods in the possession of the Central Intelligence Agency... Wikileaks' demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard's sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions.
Julian Assange announced Friday that Mozilla had already received information after agreeing to their "industry standard responsible disclosure plan," then added that "most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA." Assange suggested users "may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves."
Julian Assange announced Friday that Mozilla had already received information after agreeing to their "industry standard responsible disclosure plan," then added that "most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA." Assange suggested users "may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves."
I wonder why wikileaks doesn't leak the agreement terms?
Has any software vendor of note tried to sue people for public disclosure of security flaws? If so, what was the outcome?
I struggle to see a good-faith reason for WikiLeaks to require agreement to any terms before they tell vendors about these flaws. It gives the impression that they want the bugs to stay open and/or have a political stick to beat the vendors with.
This is extortion.
No, it isn't. Extortion is defined as the use of force or threat to achieve a gain of some sort for the party threatening the use of force (i.e., I put a gun to your head and say "I won't shoot you if you give me $100, otherwise I will").
It also isn't blackmail unless Wikileaks is attempting to achieve some sort of gain for themselves by threatening to release the information publicly unless these companies fail to pay them.
In other words, if wikileaks isn't gaining anything (money etc) from this, it isn't extortion or blackmail. It's Wikileaks allowing the tech companies to fix the holes the CIA created before they release information about those holes to the general public - thereby possibly allowing the tech companies to save face. That makes sense, since it's quite possible that it's no fault of any of these companies that the CIA decided to completely trash their products in the name of spying on everyone. The damage is already done, in other words, and there's really nothing stopping Wikileaks from just telling the world what the damage is. It's kind of nice of them to give Microsoft etc some breathing room first, so that when they do release details on the damage done, they can also include information that shows these tech companies have already fixed the problems.
Deja Moo: The distinct feeling that you've heard this bull before.
Fuck Wikileaks. I initially supported what they were trying to do, but they've proven to be complete assholes.
I don't respond to AC's.
I don't expect Wikileaks to be saintly and I think it's not necessary for them to be above all criticism in order to be valuable. Checks and balances are important because there is no good guy that you can trust with too much power. And Wikileaks both has value in it, and is one of the guys you can't trust with too much power.
That doesn't mean I believe the criticism about Wikileaks. That's just a giant and very successful FUD campaign.
For instance I disagree that they're being manipulated by Russia, there is no proof for it so why believe the claim?
The article above is just part of it. Wikileaks is asking the companies to sign something. That must be bad! Just look at all the posts on here. No, that doesn't have to be bad. It can be about wikileaks being paranoid about their action being used against them somehow. It can be about requiring the company to commit to actually fixing the bug within a certain period.It could be a mediocre decision by Wikileaks. That would still not be reason to make a big fuss about it.
Wish you critics would make up your fucking mind.
You expect the CIA to not have professional complainers on the Internet? Cute. Look above and you have a guy who admits he does work for the "Navy" calling Wikileaks extortionists already (that word does not mean what he thinks it means).
We can be quite sure Wikileaks isn't asking for anything for themselves for the disclosure (because they never have) - it seems like they must be asking for something for the users in return or they could just do a Project Zero type of disclosure.
MoFo obviously didn't have a problem with the terms, so it's not going to be something against user freedom (say what you want about Rust and WebExtensions, they get the freedom part mostly right). But MoFo doesn't have an ongoing private relationship with intelligence agencies, and that's what they claim the issue is about, so it passes the smell test. n.b. Wikileaks is apparently leveraging one disclosure for another disclosure.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
How can anyone say this is extortion? Why did Mozzila sign the honesty form ("industry standard responsible disclosure plan,")? Maybe because they are more honest than MS? Maybe because they have nothing to hide? This is an attempt to shame the cowardly tech giants that have been in on this crap from the beginning. Sign the form, fix the holes!
A brain is a terrible thing to waste... Mind? That's debatable.
If they're not they will be. It's bloody trivial for a government to gather damning info on another country, leak it to wikileaks and wait for them to get all the flak.
I never brought up Russia though I understand why you'd assume I was talking about them. The US, Russia, China, literally any country or any organization can selectively leak info on competitors if they haven't figured out they can do this (and I'm sure they have) then they will.
It's trivial to manipulate Wikileaks by only leaking the narrative you want told.
We talk about leaked classified material that remains classified. Does it qualify as a federal crime to accept it?
Anyone able to explain why these agreements/demands are SECRET? There should be ("industry standard"?) nothing stopping WL from publishing them. In the interest of transparancy.
When the copyright term is "forever minus a day", live every day like it's the last.
Heard this lie before from you dude. Why are you trying so hard?
Well, who do you think Microsoft is firing?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
You have a funny definition of freedom yourself if you think that it means developing and collecting techniques to use your personal electronics as spies for the government. Whatever Assange's relation to the Kremlin may be: on this specific issue they are fighting for your and my freedom with much more impact than any soldier ever had in the past 70 years.
According to a 2011 interview with Forbes, Assange is some sort of libertarian. Now I tend more to what is called socialist in the US, and believe little in trickle-down economy and market shenanigans, but you are describing a fascist, which Assange has never given any reason to believe he is. On the other hand, the people who "believe in absolute rule" are also those who collect and use the hacking tricks used by the CIA. So what kind of fascist would ever disarm the brown shirts?
Victims of 9/11: <3000. Traffic in the US: >30,000/y