WikiLeaks Won't Tell Tech Companies How To Patch CIA Zero-Days Until Demands Are Met

"WikiLeaks has made initial contact with us via secure@microsoft.com," a Microsoft spokesperson told Motherboard -- but then things apparently stalled. An anonymous reader quotes Fortune: Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security "zero days" and other surveillance methods in the possession of the Central Intelligence Agency... Wikileaks' demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard's sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions.
Julian Assange announced Friday that Mozilla had already received information after agreeing to their "industry standard responsible disclosure plan," then added that "most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA." Assange suggested users "may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves."

This is extortion

This is extortion. It's one thing to disclose leaked information to expose corruption, which is something good journalists do. However, journalism doesn't involve using leaked information as leverage to make demands. That is called extortion or blackmail. Wikileaks has shown that, at best, it's a criminal organization. I'm dismayed that so many people at Slashdot always rush to defend Wikileaks and Julian Assange in articles like these. It says a lot about the complete lack of character of most of the users on this site, which is also why there is so much tech-related crime. All of you should he ashamed of yourselves.

Re:This is extortion

If this is extortion than so are the CIA actions this is set opposed against.

Re:This is extortion

[green1]

Depends what the agreement is.

It could simply have been, we'll disclose this to you, if you promise not to sue us for posting it publicly after 90 days. That would be quite reasonable.

You'r rushing to judge them without all the facts. But that's in vogue these days.

Re:This is extortion

Did you not read the part where it says that nobody really knows what demands are being met? Given the past abuses of the CFAA, this could be something as simple as "you will not hold wikileaks responsible for the contents or means of finding the vulnerability information, nor will we be held accountable for the illegal means in which the information was gathered by the CIA". IANAL, but I'd guess that including such a clause would be wise, given the aggressive application of judicial power used against wikileaks in the past.

Re: This is extortion

What are they extorting?

Re: This is extortion

What are they extorting?

Crullers. Didn't you read the article?

Re:This is extortion

[Megol]

I wonder why wikileaks doesn't leak the agreement terms?

Re:This is extortion

I wonder why wikileaks doesn't leak the agreement terms?

maybe so somebody can say this:

You'r rushing to judge them without all the facts. But that's in vogue these days.

:p

Re: This is extortion

[Entrope]

Has any software vendor of note tried to sue people for public disclosure of security flaws? If so, what was the outcome?

I struggle to see a good-faith reason for WikiLeaks to require agreement to any terms before they tell vendors about these flaws. It gives the impression that they want the bugs to stay open and/or have a political stick to beat the vendors with.

Re:This is extortion

[NatasRevol]

It's wikileaks fault all the facts aren't out. They have all the cards, and are only showing some, so fuck them.

Re:This is extortion

[Anubis+IV]

Regardless, what of it? Extortion is wrong. Period. The fact that someone else extorted first doesn't make your extortion of others right.

Re:This is extortion

[Clived]

I agree, looks like we are starting to see Julian's true colours. He lost my support around the US election for bullshit like this. I am ashamed of you Mr. Ashange

Re:This is extortion

I'm dismayed.... the complete lack of character of most of the users on this site .... All of you should he ashamed

Ashamed like you are of supporting ISIS? Stazi level spying on US Citzens? Sedition against the elected -- orange, boorish, but actually elected -- US president?
And we're supposed to feel sorry because you're too incompetent to secure your own data?
We're supposed to give up freedom of speech because your media lackys have re-framed things for the umpteenth time?

CIA plz. Get some better psyop writers.

captcha: honest

Re: This is extortion

He he CIA employee amongst us

Re:This is extortion

[Mephistophocles]

This is extortion.

No, it isn't. Extortion is defined as the use of force or threat to achieve a gain of some sort for the party threatening the use of force (i.e., I put a gun to your head and say "I won't shoot you if you give me $100, otherwise I will").

It also isn't blackmail unless Wikileaks is attempting to achieve some sort of gain for themselves by threatening to release the information publicly unless these companies fail to pay them.

In other words, if wikileaks isn't gaining anything (money etc) from this, it isn't extortion or blackmail. It's Wikileaks allowing the tech companies to fix the holes the CIA created before they release information about those holes to the general public - thereby possibly allowing the tech companies to save face. That makes sense, since it's quite possible that it's no fault of any of these companies that the CIA decided to completely trash their products in the name of spying on everyone. The damage is already done, in other words, and there's really nothing stopping Wikileaks from just telling the world what the damage is. It's kind of nice of them to give Microsoft etc some breathing room first, so that when they do release details on the damage done, they can also include information that shows these tech companies have already fixed the problems.

Re:This is extortion

So when Wikileaks releases raw dumps of leaked data, they get criticized because the data wasn't "curated" and personal information like cc numbers, phone numbers and addresses, social security, etc. are exposed. But when Wikileaks holds back information because the information contains sensitive and potentially harmful data , they get criticized. Wish you critics would make up your fucking mind.

Re: This is extortion

These terms are common in the security research community. And yes, people have been sued for disclosing what they know. You can be an adult and do a google search yourself.

Re: This is extortion

As an adult I did a search and it has never occurred. If it had you could also be an adult and just share the information instead of asking people who are interested in something you are familiar with to become an expert enough to figure out how to phrase a question for something they are mildly curious about.

This is the time and the place for the question you dismissed.

Re:This is extortion

[bill_mcgonigle]

Wish you critics would make up your fucking mind.

You expect the CIA to not have professional complainers on the Internet? Cute. Look above and you have a guy who admits he does work for the "Navy" calling Wikileaks extortionists already (that word does not mean what he thinks it means).

We can be quite sure Wikileaks isn't asking for anything for themselves for the disclosure (because they never have) - it seems like they must be asking for something for the users in return or they could just do a Project Zero type of disclosure.

MoFo obviously didn't have a problem with the terms, so it's not going to be something against user freedom (say what you want about Rust and WebExtensions, they get the freedom part mostly right). But MoFo doesn't have an ongoing private relationship with intelligence agencies, and that's what they claim the issue is about, so it passes the smell test. n.b. Wikileaks is apparently leveraging one disclosure for another disclosure.

Re:This is extortion

Why don't the tech companies that received the emails do it? The sources from the stories obviously are employees from the companies contacted and spoke to the journalist. Why don't they leak the agreement terms?

Re:This is extortion

Regardless, what of it? Extortion is wrong. Period. The fact that someone else extorted first doesn't make your extortion of others right.

Regardless of what world you may personally live in, be aware that people of integrity follow certain protocols. In this case, Assange did not even need to ask and could have simply released the material. However, he put it to a public vote as to what should happen.

The public voted that the material should be released to the technology companies. As part of that, there are certain conditions that a company is expected to follow, such as ensuring that the bug is patched within 90 days. Now, Anubus IV, why do you think that might be? I'll tell you, as it obviously flew over your head. The reason they have the 90-day window is so that WikiLeaks can release the material after that window has passed, and know that what is being released won't cause a metric tonne of exploits to suddenly be available to every machiavellian individual on the planet.

Is that extortion? No, that is prudence and not being a dick.

For the record, I voted against it being reported to the technology companies, as I know they are the problem. That Microsoft is framing matters the way they are, only serves to prove my point; they have chosen to be dicks, and invariably that is what they do.

Re:This is extortion

Regardless, what of it? Extortion is wrong. Period. The fact that someone else extorted first doesn't make your extortion of others right.

Regardless of what world you may personally live in, be aware that people of integrity follow certain protocols. In this case, Assange did not even need to ask and could have simply released the material. However, he put it to a public vote as to what should happen.

The public voted that the material should be released to the technology companies. As part of that, there are certain conditions that a company is expected to follow, such as ensuring that the bug is patched within 90 days. Now, Anubus IV, why do you think that might be? I'll tell you, as it obviously flew over your head. The reason they have the 90-day window is so that WikiLeaks can release the material after that window has passed, and know that what is being released won't cause a metric tonne of exploits to suddenly be available to every machiavellian individual on the planet.

Is that extortion? No, that is prudence and not being a dick.

For the record, I voted against it being reported to the technology companies, as I know they are the problem. That Microsoft is framing matters the way they are, only serves to prove my point; they have chosen to be dicks, and invariably that is what they do.

Re:This is extortion

Assange is garbage, and Putin's lapdog to boot.

Techies are belligerent, stubborn, overeager to be "right", and unusually terrible at reading people.

Even those who fancy themselves as social engineers are usually borderline sentient fedoras.

Re:This is extortion

[The+Real+Dr+John]

How can anyone say this is extortion? Why did Mozzila sign the honesty form ("industry standard responsible disclosure plan,")? Maybe because they are more honest than MS? Maybe because they have nothing to hide? This is an attempt to shame the cowardly tech giants that have been in on this crap from the beginning. Sign the form, fix the holes!

Re: This is extortion

[AmiMoJo]

They are doing it to find out which vendors are in bed with the CIA. If they won't agree to fix the bug in 90 days up front, chances are it's because they don't want to commit to fixing something that the CIA might be using with their knowledge/support.

Re: This is extortion

[Entrope]

Equally plausible: They're doing it because they're a front for the Kremlin.

Re:This is extortion

I don't see how threatening to NOT disclose information can be considered extortion. Releasing the information to these companies would be collaboration, and there is no moral reason that there can't be conditions put it. Standard practice in the business world.

Re:This is extortion

Yay, concern trolling in action.

"journalists" are still too busy being salty Wikileaks dared publish information damaging to their party.

We don't know what Wikileak's terms are. For all we know they want to ensure that things don't get swept under the rug (while giving those corporations enough time to fix it, i.e. responsible disclosure) which makes sense given that they want information to get out.

Re:This is extortion

[arglebargle_xiv]

Uhh, did you actually read as far as the second paragraph of the article you're commenting on?

"most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA."

The information that Wikileaks has made available is still classified, even if it's public. If you work for an organisation that handles government contracts, and some of your employees have security clearances, then you can't receive classified information to help you fix an 0day, even if the classified information is now public. It was the same with the Snowden stuff, if someone had wanted to DoS everyone in the US with a security clearance all they'd have had to do is get one of the TS docs published with security markings intact on the front page of the NYT, LA Times, and so on.

The reason why Wikileaks has to be so careful is so they don't get the companies receiving the information into trouble. In many cases, when the rules you have to play by are obviously insane, the only winning move will be not to play.

Re: This is extortion

Equally plausible: Entrope is User #7995631!

Re: This is extortion

[Rei]

Well, in the past it was cash. And back then it was aid agencies and human rights agencies he was extorting.

Or maybe he's wanting them to sign some sort of absurd contract like the insane NDAs he used to make Wikileaks members sign.

Re:This is extortion

"Extortion is defined as the use of force or threat to achieve a gain of some sort..."
By suggesting that companies who don't agree to Wikileaks are refusing to do it solely because of government ties, Assange is already threatening damage to their reputations even though he has absolutely no evidence to back that up (or we would have seen it long before now).

"It also isn't blackmail unless Wikileaks is attempting to achieve some sort of gain for themselves..."
Without seeing the terms and conditions it is impossible to say that Wikileaks isn't attempting to get some form of gain from this. It may not be financial, but there may be some form of legal protection or indemnification that they are seeking.

The fact that Wikileaks is expending such effort to demand companies agree to their conditions, and denouncing them when they don't, instead of just releasing the exploits to the companies involved makes me question their values. The fact that Wikileaks is not even making the Conditions of release public reeks of Wikileaks having an ulterior motive.

Re:This is extortion

[SwashbucklingCowboy]

"It could simply have been, we'll disclose this to you, if you promise not to sue us for posting it publicly after 90 days. That would be quite reasonable."

lol Not a chance in hell. There's no case to sue if they go public with the vulnerabilities. They want something else.

Re: This is extortion

No it is not extortion, they are not looking to gain anything from the exchange, so no it is not, they are being prudent with the request that they be fixed within 90 days of rrvelation so that the info can be released afterwards without negatively impacting those effected by the exploits in a widespread manner.

Re:This is extortion

[Anubis+IV]

It seems you took my comment as an implicit affirmation that I think this is extortion, but that's not the case. I was merely pointing out the moral flaw in the previous poster's comment. Whether or not this is extortion is being discussed elsewhere, but at least from what I know of the situation, I don't think it is.

Re: This is extortion

[TellarHK]

Until we have the exact demands they're making of companies involved, we don't know that. We need to know exactly what the terms they are asking for are. Full stop. Someone should get them from Mozilla.

Re: This is extortion

Using the law as a framework of what is ethical is risky business.

Re:This is extortion

One of the agreement terms is probably "if you leak the agreement terms, then baby gets nothing" (although Mr Assange wouldn't use that phrase, since he regards popular culture as beneath his dignity).

I wonder how much money he wants? He has to monetize this somehow, since donations have been dropping off since people found out what kind of a scumbag he really is.

Re:This is extortion

[Curunir_wolf]

Pure BS. No way he's trying to extort money from them. Someone would have posted the terms by now. Not like Mozilla is going to pay up, either.

Re: This is extortion

[Curunir_wolf]

Has any software vendor of note tried to sue people for public disclosure of security flaws? If so, what was the outcome?

I struggle to see a good-faith reason for WikiLeaks to require agreement to any terms before they tell vendors about these flaws. It gives the impression that they want the bugs to stay open and/or have a political stick to beat the vendors with.

They've done worse than that. They've had the prosecuted as criminals.

Re: This is extortion

[Entrope]

[citation needed]

Also: Companies do not decide what makes a crime, and do not (as far as I know of, in civilized countries) have the power to prosecute crimes.

Re: This is extortion

[Curunir_wolf]

Equally plausible: They're doing it because they're a front for the Kremlin.

Found the neoMcCarthyite.

Re: This is extortion

[Entrope]

Found the neoMcCarthyite.

Another useful idiot self-identifies.

I do not think either hypothesis is convincing -- but they are basically equally plausible.

Any person or company with a US security clearance can lose it if they solicit the unauthorized disclosure of classified information. If they agree to Wikileaks' terms, that would probably qualify as a serious security violation; even talking with Wikileaks about the subject might qualify. That doesn't mean they are "in bed with" the CIA, only that they do work related to national security and wish to continue doing that.

There are lots of other reasons that a company would refuse to agree to terms dictated by a party with details of security problems. Some examples: it sets a bad precedent, it suggests the possibility of corruption, and there is seldom any way to enforce compliance.

Because there are so many reasons that companies would reject terms dictated by Wikileaks, and not want to negotiate terms, it is either naive or malicious to infer that companies who refuse Wikileaks's terms did so because they have secret deals with the CIA or anything else to hide.

Re:This is extortion

I wonder why wikileaks doesn't leak the agreement terms?

maybe so somebody can say this:

You'r rushing to judge them without all the facts. But that's in vogue these days.

:p

After all, information should be free. Right wikileaks?

Re: This is extortion

Read what you just wrote. A company won't agree to any "terms" because they want to continue doing secret shit for the government.

That's exactly what they're trying to ferret out, companies doing secret shit for the government!

Re: This is extortion

Wow, tinfoil hat much?

The more likely solution is that companies aren't willing to agree to fix a set of bugs within 90 days without even knowing what that set of bugs is. I think it would be incredibly irresponsible for someone to agree to do a set of work in a set timeframe without even knowing what that work is.

Re:This is extortion

[poity]

Wikileaks: I need guarantees that you will use this information to the benefit of your users rather than the government
Microsoft: We'll get back to you on that
Media: Wikileaks isn't helping Microsoft unless demands are met
Media Consumers: WTF I HATE WIKILEAKS

Re: This is extortion

Nah, that can't be it.
You are just an apologist for the lizard people who run the government.
Obviously the CIA paid you handsomely for your posts here today.

Re: This is extortion

> [citation needed]

Citations have a well known association with conspiracy.
This fact was revealed in the Podesta emails, they wrote them while eating pizza. So you know its true.
Hence we will not provide any citations because we do not want to be complicit in this conspiracy.
Assange for President!!!

Re:This is extortion

[LostMyBeaver]

I honestly don't think you have a clear understanding of how civilized people behave.

We don't say things like "It's OK to do this because someone else is doing something worse."

I'm not religious and I don't believe in things like revenge or retribution which bibles are generally so fond of speaking of. I instead believe in right and wrong. For example

We do say things like "We do what is right because it is right. We know it is right because it will help people and hopefully not harm them. We also will try to make sure that we won't do harm either. We don't care who they are or where they come from or even what they believe in. Helping people be better off today than they were yesterday... even if it means taking something from ourselves... even something as simple as time... well it's right to do. We don't do it for reward. We don't do it for fame. We do it simply because we want this world to be a better place to live in."

So... I honestly don't care what the CIA response is. At least not with regard to whether we want to help people or not. We see if there's something that can be done about the CIA otherwise. These are simply two different issues.

That said, this is in fact extortion. It's like the guys who hack into websites and then call them and show them they've been hacked and "I've done it for your own good". Followed by "I'll fix it for you in exchange for $XXX"... or "I'll tell you how I hacked it for $XXX". Just because Wikileaks stole the information as opposed to having found it themselves doesn't make it ok.

Re: This is extortion

So you don't embarrass yourself with blatantly false statements about the the bible says about revenge: https://www.openbible.info/topics/revenge

Learn about something before making ignorant claims.

Re:This is extortion

Satya, is that you? Remember you told us to "just fucking trust you"?

Re: This is extortion

I can't get what the Kremlin could gain from this: it doesn't make sense. If they're from the Kremlin, it means that the Kremlin knows and uses those bugs, so they don't get anything from releasing them to the tech companies or making them public, the two possible scenario now. They could have just kept them secret, the most obvious choice for a spying agency, but they did not, so what's your point?

Re:This is extortion

Govt troll detected. Possibly https://wikileaks.org/ciav7p1/cms/page_7995633.html

Re: This is extortion

[AmiMoJo]

Either way, it's of massive benefit to us.

Re: This is extortion

You're a pedantic moron.

Re:This is extortion

"I'll give you this gun as long as you promise not to shoot me with it"

From the article, it sounds like that's all they're asking for. If I'm wrong and they're asking for unrelated things, then I totally agree with you and that was actually my first impression upon reading the headline. But in reality it seems like Wikileaks will release information about the exploit as long as vendors promise to fix the exploits rather than allow the government to continue using them to violate our privacy and security. That's fine. That's akin to saying "if I give you this thing to help you, you have to promise not to use it against me"

Re: This is extortion

WTF! I love CIA now.

Re:This is extortion

[Lonewolf666]

And why is it even necessary to negotiate here?

This could be sidestepped by telling, not asking the software vendors to fix their stuff within 90 days. Because after 90 days, the vulnerability will be made public. Either they fix their stuff or they can watch their customers' IT being raped :-)

Re: This is extortion

Err... I am pretty sure being pedantic, and correct, precludes being a moron.

Re: This is extortion

[Entrope]

You read what I just wrote. I gave that as only one example of a reason that companies would not accept terms from Wikileaks.

There is also a very big difference between "doing classified work for the government", which I described, and "keeping products buggy because of CIA money", which the apparent Kremlin stooge suggested was the motive. Someone could work on an unclassified system where certain details are classified; for example, a land mine and IED detection system, where the details of how well it works on military vehicles in various conditions are classified, but those classified details are important for improving the system and saving lives.

Re: This is extortion

[Entrope]

How do you suggest that Wikileaks (or the Kremlin) would dump all the information in this archive while withholding the details of the exploits?

The Kremlin presumably would not have known about all, or perhaps many, of the bugs before the leak. They gain from keeping the bugs open.

The Kremlin would love to undermine public trust in major US companies, either directly because of security problems, or indirectly by painting them as CIA pawns.

The Kremlin would love to be able to focus attention on US covert activities to divert attention from all the journalists and opposition politicians it has assassinated.

Re: This is extortion

They've been watching that for a very long time. Maybe more raped?

Re: This is extortion

[Entrope]

Please clarify. Do you mean that keeping the details of exploitable bugs away from the people who can fix them or thwart attacks is a "massive benefit to us"? Do you think that the Kremlin has the best interests of Americans at heart? Does the Kremlin pay you as a propagandist?

Re: This is extortion

He is no more, or less, a scumbag today than he was a year ago. Well, unless you're a partisan idiot.

Re: This is extortion

Being pedantic only makes you a bore and the laughingstock of Real People. Being an asocial autistic nerd is not something to be proud if.

Re: This is extortion

[AmiMoJo]

It is of great benefit to know what the exploits are and to know which companies don't want to fix them.

Re: This is extortion

[Anubis+IV]

It's pedantic to constrain my comment to the specific topic I wanted to address? I don't think so. I kept my comment to the exact issue I wanted to discuss. That someone else jumped to a conclusion based on what I said is unsurprising, but I didn't want to dilute my original comment by addressing all angles of this situation. I wanted to make it very clear that I was taking issue with their "two wrongs make a right" mentality.

Re:This is extortion

Contrary to popular belief, two wrongs can make a right. It all depends on circumstances. In these particular circumstances.. seems too early to tell.

Re:This is extortion

Wikileaks is using the information to push their political ideology. Assange did the same thing with the Manning data. They wanted to dictate terms to all of the media outlets or he wouldn't cooperate and give anyone else access to the information. Wikileaks was supposed to provide a service for people to release information but remain anonymous when doing so. Wikileaks has totally failed at this. Now Wikileaks is just a tool used by various intelligence agencies to attack their enemies. Assange must really like living in the Ecuadorian Embassy.

Re:This is extortion

"This is extortion", said the loser, "I'd have won if the opponent had not forced me to capitulate!"

Re:This is extortion

[NatasRevol]

Oh, boo hoo. Poor wikileaks put itself in a difficult position, then waffles on that position, then gets criticized for waffling.

Fuck them.

Re:This is extortion

[NatasRevol]

We can be quite sure Wikileaks isn't asking for anything for themselves for the disclosure (because they never have)

Your honor, you can be quite sure I never killed that guy, because I never have.

Re: This is extortion

Russian boogieman. Riiiight. And you think the alt right and Putin are doing this....? Alt left, soros, globalists and deep state are represented by whom? Let's hear it.

Deep state has all major software rooted. That's scarier than Russian boogieman. The god damned chinese scare me more than Russia.

Re: This is extortion

Has any software vendor of note tried to sue people for public disclosure of security flaws? If so, what was the outcome?

There were few cases where someone contacting a company about a vulnerability in their product/site got get up with police.

Re:This is extortion

[pabloesgalhardo]

No, this is not extortion, this forcing multinational conglomerates to comply with perfectly acceptable and decent polities regarding those who in the first and last instance provide them with profit. WE ARE NOT SHEEP

Re:This is extortion

Firstly we aren't told exactly what transpired in the M$ correspondence, secondly - Extortion? Sending in a honeypot or outright pressuring a former partner of his for not (or claiming he didn't) use a condom during consenting intercourse and telling the world he's a rape doesn't really compare to him just trying to ensure he lives to see 2018. There's a possibility he will be kicked out of the Embassy and if he does he's a dead man, or might as well be dead (and what will happen to him will make he was). Extortion though? Put yourself in his position, I think you should just go back to blaming the Russkies

Re:This is extortion

[stoatwblr]

The problem is that time and again when given a deadline to fix, vendors have gone to court to try and prevent the exploits being published.

The only way to prevent that is to set a deadman switch on the release of data.

A "don't sue" clause seems prudent.

Re:This is extortion

[AutodidactLabrat]

Wrong.
You can not "Extort" someone when you merely require him to honor "Fitness for use intended".
That you have to twist his arm to get him to comply with contract law is a sick note on how little enforcement there is against criminal capitalism.

Re:This is extortion

[Anubis+IV]

Wrong.

Re-read my comment and you'll see that I constrained it to the moral failing of the previous poster, rather than addressing the broader issue of whether or not this is extortion. If you think I'm wrong in saying that two wrongs don't make a right, I'm happy to discuss the matter further, but with regards to whether this is extortion, I've already said elsewhere that I don't think it is.

Re: This is extortion

[Archangel+Michael]

you made a vague accusation that the Kremlin is influencing WikiLeaks. Do you have any evidence?

This is the second time I've seen this accusation, and the first time the guy offered no evidence, just that he "was Russian, and knows things". My guess, is that this is all part of the vague "Russians Hacked the US elections" thing, that was exposed as being based on vague accusations ... from the beginning.

It is actually more likely that it was Seth Rich that gave WikiLeaks at least part of the treasure used to upset the election. And having "Password" as your password ... revealed in a Phishing attack is evidence that said person shouldn't be anywhere near sensitive/secret information.

So far, vague allegations are all that is needed to upset people with Trump. The fact that he is playing the game back is popcorn worthy material. Nobody gives a shit when the Press lies with its unsubstantiated allegations, but when Trump does it, all hell breaks loose and his is "unhinged"!

Re: This is extortion

[Archangel+Michael]

The CIA presumably got the hacks from Russians, so that they would want the Russians to take the fall.

The CIA is actually working with affected companies, and they really can't disclose the vulnerabilities to the public, because they already know about them.

The CIA would love to undermine the public trust in WikiLeaks, so blaming the Kremlin for everything is logical (cold war mistrust)

The CIA would love to be able to shift the focus off their hacking skills and put it on the Kremlin.

OR Perhaps both the Kremlin and the CIA are both pissed at the other exposing them and are using public press to wage a war for the minds of citizens of the world. Meanwhile, I'm pissed that nobody seems to give a shit about doing the right thing, except it appears ... WikiLeaks.

Re: This is extortion

Looks like the right wing has us beat when it comes to theorizing conspiracies.

Re:This is extortion

[SoftwareArtist]

Maybe. Or maybe not. If the conditions are such reasonable, industry standard ones, why isn't wikileaks disclosing what they are? Given Assange's history, he has zero credibility in my book. For an organization that's supposedly dedicated to public disclosure, they're awfully fond of keeping things secret. I mean really, they won't tell us what conditions they're asking the companies to agree to? Then I certainly won't assume they're as reasonable as he wants us to think they are.

Re: This is extortion

It's a huge assumption that the 90 days-fix is their requirement. That being said, if it is, even that is unreasonable. For example: "The registry represents a security flaw because a X, Y, Z, and they can't be patched. Replace the registry in Windows in the next 90 days."

Such a thing would not be possible.

Moreover, imagine Wikileaks said "you have to provide us the full source code of your entire application, and let us provide FOSS access to the world at our discretion." It would be silly for a company to agree to that.

Remember how Assange had said he would turn himself in if Manning had been given clemency? They have a history of negotiating in bad faith.

Re:This is extortion

Regardless of what world you may personally live in, be aware that people of integrity follow certain protocols. In this case, Assange did not even need to ask and could have simply released the material. However, he put it to a public vote as to what should happen.

I can think of hundreds of ways an online vote could be rigged, including but limited to not actually counting the votes and faking numbers such that what Assange wanted to do won.

Even if it were a fair vote, it's possible they set up the vote to go in the way they wanted to. Among others, I've seen Professional Wrestling do it more often than once (albeit for entertainment), and the same techniques could be applied here.

Re:This is extortion

[doccus]

This is extortion. It's one thing to disclose leaked information to expose corruption, which is something good journalists do. However, journalism doesn't involve using leaked information as leverage to make demands. That is called extortion or blackmail. Wikileaks has shown that, at best, it's a criminal organization. I'm dismayed that so many people at Slashdot always rush to defend Wikileaks and Julian Assange in articles like these. It says a lot about the complete lack of character of most of the users on this site, which is also why there is so much tech-related crime. All of you should he ashamed of yourselves.

Yes, it's true that it is extortion. The question becomes, then, is it ever justified? I think, when you are dealing with either corrupt entities, or entities that pervert the legal system to meet their needs at the expense of the public, it may well BE justified. Nothing is ever set in stone, except for the 10 commandments (whioh is where the saying "set in stone" originated, after all).

Re: This is extortion

[Entrope]

So why does Wikileaks want to keep the bugs secret from the companies that can fix them?

Re: This is extortion

[Entrope]

I didn't make such an accusation (various US security pundits have). I only said it was as plausible an explanation (for Wikileaks making demands in exchange for details about security bugs) as "Wikileaks is stupid enough to think that companies who don't agree to its terms must be in cahoots with the CIA". As I said in a comment elsewhere in this chain, I don't think either explanation is very convincing.

Re: This is extortion

Extortion!!!!!! Extortion!!!!!!

You have no idea what you are talking about.

Re:This is extortion

[AutodidactLabrat]

Sorry, posted in the wrong place.

Re:This is extortion

Oh yeah, that's the big fear of Wiikileaks...that some tech company might file a lawsuit.

"Here's a vuln. We'll wait a maximum of 90 days before releasing the details of this vuln to the world. This is a hard deadline to make sure you have a fix out by then." This is perfectly reasonable, and it's what the Google security folks do by the way.

Re: This is extortion

If there are bugs like that that CAN'T be fixed, the world needs to know so we all can start planning on a migration to a different operating system.

Re: This is extortion

EXACTLY!!!

Re: This is extortion

[citation needed]

Really? It's been in the news and in court reports often enough that anyone who does security research knows the risks. Happens all the time, you should get out more and try reading and comprehending some more.

Re: This is extortion

[LostMyBeaver]

https://www.openbible.info/topics/retribution

Why not search within page there for the word vengeance and see what turns up. You don't get to selectively choose on

I have read quite a few bibles actually. The topic of vengeance and revenge hidden under the title of retribution is what originally made me adverse to being a member of religion.

I think the beauty of religion is that we all have our own interpretations of it. I spent 13 years of my life praying to a god that he will come down and take vengeance on my oppressors and enemies. I read those prayers over and over and over year after year. It taught me to hate anyone who was an enemy of my religion... which by further definition meant anyone who was not of my religion because if they were not an enemy of my religion, they would be a member of it.

I was also taught that everyone everywhere wants to kill me because I was unfortunate enough to have been born a member of my religion. I was taught that in 3800 years we were always the victims of the hateful infidels. And one day, the lord would send us a messiah who would allow us to have our vengeance and seek retribution.

Visit a Jewish temple sometime on a Saturday and listen to the little children sing the pretty songs in Hebrew... and then read the translations as they sing them. They have no idea what the words mean, but they all love those songs and how special they are that they can sing them. I think you'd be absolutely shocked and horrified by their meanings.

But I guess you're all knowledgeable about all religions and your interpretation is right. Religion gives us the word retribution as a means of making revenge sound so much sweeter and nicer. It's not revenge if "we're only getting retribution".

Let me tell you something, retribution is nonsense. We go to war and kill people for retribution. Need proof? Most of the western world hauled ass to Afghanistan to find retribution against people who killed themselves by crashing airplanes into buildings. Do you know how many good and innocent people died in our hunt for retribution? Do you know how many good and innocent people died as the western world went out there with massive weapons and leveled villages and cities? And while we did it, the world leaders stood and declared "God is with us!".

So, before you make embarrassing statements about how well you understand the bible..

First rule... there is a lot more than just one bible

Second rule... the King James Bibles is a highly selective lovey dovey version of the old testament. To be fair, the Torah is a deep, dark and damn near hateful book which makes the darkest parts of Quoran look warm and fuzzy in comparison. Read a proper translation and reference that instead.

Third... openbible.info is a REALLY REALLY politically correct interpretation. It's practically "fake news". It leaves out most of the really good stuff... especially the stuff about violence and systematic hate.

That said, I have absolutely nothing against religion. Only against zealots. Both my kids are baptized and my son is being confirmed in September because we want to show respect to our religious family members and their faith and it just doesn't hurt to eat a cookie and have a drink. My son is even attending training for his cookie eating ceremony every week for 6 months.

In the future, when you jump to the conclusion that someone may in fact have an interpretation of religion other than your own simply because they are uneducated, you might be wrong. It could be that they simply see things differently than you.

Sounds reasonable to me

n/t

Re: Sounds reasonable to me

As I said, most nerds are morally bankrupt and will support this extortion by Wikileaks. Most Slashdot readers are happy to support criminal activity like extortion so long as it furthers their twisted objectives.

Re: Sounds reasonable to me

[amiga3D]

There are no good guys in this scenario. Wikileaks is so focused on their little crusade for openness that they've adopted the same "the end justifies the means" approach as the CIA and NSA.

Re: Sounds reasonable to me

Exactly what are the "ends" that Wikileaks is trying to achieve? Do you really think they're the same as the "ends" of the NSA and CIA? This equivalency comparison is so fucking asinine.

Re: Sounds reasonable to me

Whenever I see people bash wikileaks for no reason I always under about

https://en.wikipedia.org/wiki/CIA_influence_on_public_opinion

Re: Sounds reasonable to me

Yes! Less openness! More opaqueness! More secrecy! Less freedom! Power to the government and not to the people!

I used to cheer for Wikileaks, but then they leaked something I didn't like, so now I stamp my feet and shout "boo!" and "russia did it all!"

Re: Sounds reasonable to me

Yeah, easier to blame it on conspiracy than engage with the points they make.
You conspiracy fantasists are all the same.

Re: Sounds reasonable to me

[SwashbucklingCowboy]

This isn't a crusade about openness, this is a crusade to hurt the US. Notice how Wikileaks doesn't leak anything about Russia? Or China? Or ...

Re: Sounds reasonable to me

[TellarHK]

I don't believe WikiLeaks has anything to do with openness anymore. Not since they openly held back and released things during the US election timed specifically to harm a candidate. They're in it for something more now, and the only question is who benefits. It's not any of us, except maybe the remaining Putin shills.

Re: Sounds reasonable to me

Your right, Wikileaks has pro-american agenda. They want Russia and China to be shit countries and not fix their problems, but they allow USA fix their problems, by revealing problems. USA is lucky to have such a friend.

Re: Sounds reasonable to me

Exactly what are the "ends" that Wikileaks is trying to achieve?

ka-ching!

That's a cash register, for those of you born after the time when cash registers go "beep".

Re: Sounds reasonable to me

[morkk]

Have you bothered to consider that maybe they don't get leaks from Russia or China? Nothing leaked - nothing to publish.

Re: Sounds reasonable to me

[morkk]

>Not since they openly held back and released things during the US election timed specifically to harm a candidate.

You actually know this or just repeating an alternative fact you read somewhere?

Re: Sounds reasonable to me

Probably because too many people think "they're the shit" when the reality is it's a great country because it ostracizes others. Russia and China are assholes and we all know it. There's no need to expose anything when they don't hide anything. Putin just gets on his high horse with no shirt on and does whatever the hell he wants. Wikileaks will target them only if balance is needed to keep people in check.

Re: Sounds reasonable to me

[Imrik]

The point is that it doesn't matter what the ends are if the means are the problem.

Re: Sounds reasonable to me

There are no good guys in this scenario. Wikileaks is so focused on their little crusade for openness that they've adopted the same "the end justifies the means" approach as the CIA and NSA.

That is an interesting conjecture. First, I really don't support wikileaks. The crap they leaked during the election was more about influencing an election than actually doing the right thing. Now as to the CIA and the NSA. Many of the things done are done because we can group people in two groups. Americans and Not Americans. Certain rules apply to Americans. Far fewer apply to Not Americans.

While I understand that there are practical difficulties, I'm not sure it is a good idea to base key rules and norms on what you can get by with because people in the not American group have fewer rights. This is similar to your previous argument.

For instance, many (most?) likely voted for Mr. Trump using the ends justifies the means argument of one type or another. Sure they may know, at some level he is a less than moral person, but they believe they will get more of what they want with him. Can moral outcomes truly be based on the work of a fraud? I think Mr. Trump is an example of true evil. He will say anything to win and say the opposite thirty minutes later if that benefits him. Whether something is true or not is not something he appears to take into consideration. Instead it is whether or not it is useful to his immediate goals. Those goals seem to revolve around increasing the legend and prestige of the Trump name, and not fixing actual problems.

The sad thing is the three letter agencies may not always be the most moral, but they may be our only hope.

Re: Sounds reasonable to me

[amiga3D]

But withholding info on vulnerabilities is not an ethical position. I'm not really bashing them though, just pointing out that they've made the same mistake the CIA has made. They've so focused on their goals that they've abandoned the high road.

Re: Sounds reasonable to me

[amiga3D]

I really don't blame the CIA. They're spies and spies spy. It's what they do. The problem is they're not kept on a short leash lately and have been allowed to hunt on their own. The people that oversee them are to blame I believe. They can call them to heel anytime they get ready to if it suited them.

Re: Sounds reasonable to me

What extortion? Noticing the potential legal pitfalls with the US government doesn't equal extortion.

Re: Sounds reasonable to me

[tinkerton]

I would fully agree though the main issue with the CIA is keeping them on a short leash. But if you think the problem is recent, this offers a better starting date : https://mises.org/blog/truman-...
What the latest leak shows is that the CIA is diversifying more , increasing their reach, making them more independent. They don't have to ask the NSA for help, they've got their own departments. That is all about increasing power.

Re: Sounds reasonable to me

[meta-monkey]

But withholding info on vulnerabilities is not an ethical position.

It depends on the circumstances, doesn't it? If you release a vulnerability that the vendor has no intention of fixing and people can't fix themselves, you just made it known to more bad guys and put more people at risk. And if you don't play the media right then no one pays any attention so you may not even get public pressure on the vendor to fix their shit.

I agree that WikiLeaks acts in the interests of WikiLeaks, but I don't think there's a one size fits all rule for the ethics of vulnerability disclosure.

Re: Sounds reasonable to me

[meta-monkey]

Is there any evidence WikiLeaks has received Russian or Chinese leaks and then not published them? WikiLeaks is not the only game in town. If Russians or Chinese were sending info to WikiLeaks that they were sitting on because WikiLeaks is somehow pro-Russia or pro-China, then those leakers would send the info to the NY Times (or self-publish somewhere) along with the bombshell that WikiLeaks refuses to publish their shit.

Hmmm. You know, SwashbucklingCowboy hasn't released any dirt on Russia or China either. Just who are you working for, SwashbucklingCowboy?!?

European companies prioritize their customers?

I was not aware that prioritizing customers over government contracts was a practice that only European companies were capable of. Doesn't having government contracts mean that the government is your customer? How exactly is that supposed to work? Maybe Assange meant to say "may prefer organizations such as Mozilla or European companies that prioritize their users over United States government contracts."

This just in

[93+Escort+Wagon]

Assange fighting to stay relevant by any means possible. News at 11.

Re:This just in

True enough, but I'll take a ranking of top technology companies based upon their performance on an industry standard responsible disclosure plan whether it be from Julian Assange or Consumer Reports.

Re:This just in

[bug1]

More news is coming in;

Person complains that a small group of freedom fighters arent fighting hard enough to protect their interests, suggests they should try harder.

They further complain about having to get out of bed, suggesting someone else should do it for them.

Re:This just in

Wait, are you saying Assange is a freedom fighter?

So why is he in bed with authoritarians like Putin, Farage, and has engaged in mutual praise with Trump? Even if you believe there's no official connection then Assange is a regular on Russia's state propaganda channel RT, has met up with Farage in the Ecuadorian embassy:

https://www.rt.com/tags/the-ju...

https://www.theguardian.com/co...

You have a funny definition of freedom if it means support and praise of people who back things like elimination of civil liberties, strict control of speech, elimination of equality, and convergence towards dictatorship.

Assange is the last person I'd want fighting for my freedom, because he doesn't believe in freedom, he believes in absolute rule by only those who he personally agrees with and is trying to support that using Wikileaks.

Re:This just in

[orzetto]

You have a funny definition of freedom if it means support and praise of people who back things like elimination of civil liberties, strict control of speech, elimination of equality, and convergence towards dictatorship.

You have a funny definition of freedom yourself if you think that it means developing and collecting techniques to use your personal electronics as spies for the government. Whatever Assange's relation to the Kremlin may be: on this specific issue they are fighting for your and my freedom with much more impact than any soldier ever had in the past 70 years.

Assange [...] doesn't believe in freedom, he believes in absolute rule by only those who he personally agrees with [...]

According to a 2011 interview with Forbes, Assange is some sort of libertarian. Now I tend more to what is called socialist in the US, and believe little in trickle-down economy and market shenanigans, but you are describing a fascist, which Assange has never given any reason to believe he is. On the other hand, the people who "believe in absolute rule" are also those who collect and use the hacking tricks used by the CIA. So what kind of fascist would ever disarm the brown shirts?

Re:This just in

[tietokone-olmi]

Anything that anyone does can be dismissed in this way.

Of course it's easy for Mozilla...

Of course it's easy for Mozilla. It's always easy when you have no real customers, and very few users of your product. You can make all sorts of changes very quickly because you're pretty much working in a bubble. Nobody gets upset when a rushed fix causes regressions because there are so few users to begin with, and they may never actually experience the regression directly.

Re:Of course it's easy for Mozilla...

[higuita]

what?!

so we have:
- one company that cares about the users and patch a security bug as fast as it can.
- another that knows about a hole, but as it being used by some security agency, they do nothing for months, so that those agencies can still exploit the bugs (and who knows who else is also abusing the holes) until the agency have another zero day hole and the company can finally fix that bug, while still keeping other bugs "open"

Security fixes delays is not about "regressions", is about how companies work, how important security is for them and the real interest in fixing the problems.

The are bugs that are hard to fix and may create regressions, but most of then are simple missing checks or bad code that be fixed in a few days. half a year delay like MS sometimes do are other problems...

Re:Of course it's easy for Mozilla...

[Dahamma]

The real question is, if Mozilla has "already received" this information, why would they not share it with the other browser developers in the name of security?

Is one of Wikileaks' terms that they not disclose "secret information"? That would be pretty fucking hypocritical...

Re: Of course it's easy for Mozilla...

Have you ever worked in IT? or gone to college because Firefox Is the browser of choice.

Always.

Sorry Google Chrome fans.

Re:Of course it's easy for Mozilla...

Welcome to Slashdot, where the snark flows so thickly that no matter what Mozilla does, it's always bad (or at best pointless).

And then Mozilla focuses on people who do appreciate their work instead of Slashdot, and Slashdot throws a temper tantrum.

Re: Of course it's easy for Mozilla...

[Desler]

So that's why its marketshare is only in teens?

Re: Of course it's easy for Mozilla...

It's well below that, especially if you count mobile web users, too. Generous estimates put Firefox's share at about 7%. It's likely lower than that, though. There's a good chance you could count Firefox's market share percentage using the fingers on one hand.

Re:Of course it's easy for Mozilla...

Because it wouldn't help anything. Mozilla would only have received information about security flaws in their products and since Firefox uses it's own rendering engine rather than being yet another Chromium fork (at least for the moment) there is nothing in there that would help other companies.

Re:Of course it's easy for Mozilla...

[Imrik]

Why would Mozilla tell other browser developers about problems with Mozilla?

Re: Of course it's easy for Mozilla...

[Imrik]

There's a good chance you could count Firefox's market share percentage using the fingers on one hand.

That's hardly surprising, I can count to nearly a 1/3 market share with the fingers on one hand.

Re: Of course it's easy for Mozilla...

[stooo]

Did it hurt ? Did you lose some fingers? Try with the other hand, you'll get more finger marketshare !
For me, the fingers on one hand have 50% market share over all my fingers, regardless of which hand i use.

Re:Of course it's easy for Mozilla...

[Dahamma]

Because it's open source?

Re:Of course it's easy for Mozilla...

[Dahamma]

How do you know? It's entirely possible that the same vulnerabilities exist in different software doing very similar things. How do you know it's in the rendering engine and not one of the common libraries they use, etc? You don't, because no one has made the exploits available to you.

Putin Turning the Screws On US Corps

And TRUMP gives a thumbs up, saying, "Putin is a very, very smart man. And I respect that."

So, now it's WikiRacket

[HangingChad]

It wasn't bad enough WikiLeaks played ball with a foreign intelligence service, now they're extorting companies for information. They're becoming more deplorable by the day.

Re:So, now it's WikiRacket

[LavouraArcaica]

Don't let your nationalism blinds you.
They are in a position of inferior power towards the US gov. That's why they are in such defensive position.
  And the news here are: "the us gov. is ACTUALLY spying on you and wikileaks knows how it is doing."

Re:So, now it's WikiRacket

They're becoming more deplorable by the day.

deplorable

subtle

Wikileaks BAAD; CIA Goooood!

"Wikileaks are the bad guys here. Hacking, leaking, teroristic, scum! Assange is a TRATIOR TO AMERICA!! Drone this guy!!!!"

We get it. Slashdot is a State Dept/ NSA / and now CIA spin outlet. Wikileaks == Terrorism etc, etc. The complete fucking 180 in the comment sections everytime Assange or Snowden come up. We get it now. I guess with the percentage of the tech industry now basically in surveillance/cyrpto/storage, it's not to be completely unexpected.

Man. People here used to have Lone Gunmen quotes.

Re:Wikileaks BAAD; CIA Goooood!

BYERS: And, Mulder, listen to this. Vladmir Zhirinovsky, the leader of the Russian Social Democrats? He’s being put into power by the most heinous and evil force of the 20th century.
MULDER: Barney?
BYERS: The C.I.A.
...
BYERS: You don’t believe that the C.I.A., threatened by a loss of power and funding because of the collapse of the cold war, wouldn’t dream of having the old enemy back?
SCULLY: I think you give the government too much credit.
...
BYERS: I’m not talking about the bunch of idiots up on the hill trying to bone the capital pages. We’re talking about a dark network, a government within a government, controlling our every move.
SCULLY: How can they do that?
BYERS: How? I’ll show you how. You got a twenty dollar bill?
...
(Mulder laughs. Scully looks back at him. Byers pulls out the magnetic anti-counterfeiting strip.)
BYERS: That’s just one method. They use this magnetic strip to track you. Whenever you go through a metal detector at an airport, they know exactly how much you’re carrying.

I miss being able to say all of this was "just TV".

Re:Wikileaks BAAD; CIA Goooood!

[belthize]

The world will make a lot more sense when you realize it's possible for both sides to be bad. Comparative ethics is not a zero sum game.

Wikileaks' intent to provide an outlet for whistle blowers to uncover corruption in various governments and and corporations had a lot of merit. Unfortunately the very model of "we don't care where it came from, we just post it" is its undoing. It didn't take long for governments to figure out if you can destroy it, use it.

They thought they could turn over the chess board, but they're just another pawn.

Re:Wikileaks BAAD; CIA Goooood!

[tinkerton]

I don't expect Wikileaks to be saintly and I think it's not necessary for them to be above all criticism in order to be valuable. Checks and balances are important because there is no good guy that you can trust with too much power. And Wikileaks both has value in it, and is one of the guys you can't trust with too much power.

That doesn't mean I believe the criticism about Wikileaks. That's just a giant and very successful FUD campaign.
For instance I disagree that they're being manipulated by Russia, there is no proof for it so why believe the claim?
The article above is just part of it. Wikileaks is asking the companies to sign something. That must be bad! Just look at all the posts on here. No, that doesn't have to be bad. It can be about wikileaks being paranoid about their action being used against them somehow. It can be about requiring the company to commit to actually fixing the bug within a certain period.It could be a mediocre decision by Wikileaks. That would still not be reason to make a big fuss about it.

Re:Wikileaks BAAD; CIA Goooood!

> The article above is just part of it. Wikileaks is asking the companies to sign something. That must be bad!

All wikileaks has to do is publish these terms they expect the companies to sign.
Seriously, why the hell aren't they doing that? If wikileaks is only doing the right thing then there is no reason not to publish it.
Its fucking weird. You can't blame people for thinking its fucking weird.

Re:Wikileaks BAAD; CIA Goooood!

[tinkerton]

You can't blame people for being gullible either. What you're saying is what wikileaks is guilty of something until proven otherwise. That what they're doing is very suspicious because they're obviously bad guys. Wikileaks is communicating with many companies. Some of them collaborate with governments and deliberately leave security gaps open. It's a tricky environment to work in and there will be lawyers involved all the time. You can just as well say that if Wikileaks is doing something nasty some of the companies will expose the communication.

Re:Wikileaks BAAD; CIA Goooood!

> That what they're doing is very suspicious because they're obviously bad guys

Stop projecting.

I'm saying why the hell is a transparency organization keeping a secret that shouldn't even be a secret. It isn't like they are a company negotiating for leverage against other companies to maximize a profit.. There is no value in keeping these "industry standard" terms a secret. Especiallyif they really are "industry standard." Just post them already.

And if there is a value in keeping them secret, then explain what the value is so randos on the internet don't have make up rationalizations for you.

Re:Wikileaks BAAD; CIA Goooood!

[belthize]

If they're not they will be. It's bloody trivial for a government to gather damning info on another country, leak it to wikileaks and wait for them to get all the flak.

I never brought up Russia though I understand why you'd assume I was talking about them. The US, Russia, China, literally any country or any organization can selectively leak info on competitors if they haven't figured out they can do this (and I'm sure they have) then they will.

It's trivial to manipulate Wikileaks by only leaking the narrative you want told.

Re:Wikileaks BAAD; CIA Goooood!

[tinkerton]

I did indeed assume you were thinking of Russia.
It's not trivial to fool Wikileaks, but it's likely that it will happen to some extent(as in being fooled by the source but not by the data). Wikileaks is good at protecting the source but I'm not sure why someone who can defend himself wants to pass through wikileaks if the info is valid. Will it make a big difference compared to publishing through another channel?

The main worry of Wikileaks is that they get fed bad info in order to damage their credibility. There surely will be attempts at that. As they get strained more under the constant siege it is possible they may start making serious mistakes and errors of judgements. That's a plausible outcome. But then they're publishing false info and then it's likely others find out.

Re:Wikileaks BAAD; CIA Goooood!

Wikileaks is good. Assage is an assclown and the organization would be better off without him.

Re:Wikileaks BAAD; CIA Goooood!

While i agree this is a weakness of their system, the problems with them (basically just him now, tbh) go a lot deeper.

One of those problems is that these things they're trying to leverage are almost certainly not as important as they have claimed, they don't have anyone capable of assessing the impact internally... but also they're trying to apply leverage in the first place on stuff that is already industry standard, specifically (it appears) to paint these companies as irresponsible while simultaneously using the same vulnerability submission system already used by security researchers.

The fact that in merit of all this, this is effectively just another brand building exercise is also a problem.

Re:Wikileaks BAAD; CIA Goooood!

[BlueStrat]

And if there is a value in keeping them secret, then explain what the value is so randos on the internet don't have make up rationalizations for you.

I'll keep this simple.

An entity (WL, a security researcher, whatever) discovers major unpatched mainstream software/OS vulnerabilities. Should the entity simply release the details publicly and let the bad actors have a field day while the software makers scramble to push out a fix before more damage is done, or would it be more responsible to first try to get the software/OS makers to committing to patching the vulnerabilities before releasing the details publicly?

Seeing as this behavior (attempting to avoid damage from publicly releasing the vulnerability details before they're patched) regarding the WL proposed release aligns fairly closely with responsible vulnerability disclosure practices among network security experts, Occam's Razor would suggest this is the more likely explanation.

Don't pay attention to the flood of government psy-op posts. It's pretty well become SOP for any article involving news/data critical of and/or exposing overreaching US intelligence.

Strat

Re:Wikileaks BAAD; CIA Goooood!

It's trivial to manipulate Wikileaks by only leaking the narrative you want told

Then if it goes on, it simply forces everyone to air everything they know about everyone.

Somehow this seems bad to a lot of posters here.

Notice how absolutely nothing is being leaked against Russia. It's all just unsubstantiated rumors.
I beg you to point me to anything like evidence, as I would be glad to absolve my fellows of my judgement of their ignorance.

Re:Wikileaks BAAD; CIA Goooood!

Your entire response is a non-sequitur. Its weird you put in so much effort typing it but zero effort into understanding the post you responded to.

You completely failed to address the question: If it is "industry standard" then why won't they publish it? The effort required to publish it is trivial. I have not postulated any nefarious motives. I am saying they are the root cause of any conspiracy ftantasies about their actions and not only could they easily dispel them, they ought to make this info public as a matter of course because they are the guys who are into radical transparency.

Don't pay attention to the flood of government psy-op posts. It's pretty well become SOP for any article involving news/data critical of and/or exposing overreaching US intelligence.

Oh jesus, I feel like I am trapped in the middle of a fight between dueling conspiracy fantasists.

Re:Wikileaks BAAD; CIA Goooood!

[BlueStrat]

If it is "industry standard" then why won't they publish it?

Reading comprehension, much?

From my post:

Seeing as this behavior (attempting to avoid damage from publicly releasing the vulnerability details before they're patched) regarding the WL proposed release aligns fairly closely with responsible vulnerability disclosure practices among network security experts...

*Not* releasing the vulnerabilities straight away without at least a good-faith attempt to allow those who can patch the vulnerabilities the opportunity to take action before the vulnerabilities are released is the standard.

Try reading *all* the way through a post you want to respond to. It will save you further embarrassment in the future.

Oh jesus, I feel like I am trapped in the middle of a fight between dueling conspiracy fantasists.

The old restrictions against US government use of propaganda domestically against US citizens no longer exists. That US TLAs use shills and sockpuppets on various social media platforms and forums is old news.

Strat

Re:Wikileaks BAAD; CIA Goooood!

If they're not they will be. It's bloody trivial for a government to gather damning info on another country, leak it to wikileaks and wait for them to get all the flak.

Yeah, right. So where's the leak of the dirty laundry for Russia and China's massive hoarding of zero-days? Or NK or Iran? It's bloody trivial, right? Right?

Re:Wikileaks BAAD; CIA Goooood!

*Not* releasing the vulnerabilities straight away without at least a good-faith attempt to allow those who can patch the vulnerabilities the opportunity to take action before the vulnerabilities are released is the standard.

You keep repeating this non-sequitur, why?
Here I will say it louder so you can here me better: IT HAS NOTHING TO DO WITH THE DETAILS OF VULNERABILITIES

The old restrictions against US government use of propaganda domestically against US citizens no longer exists.

The fact that you believe that the CIA is here in this dinky-ass little story on this vastly diminished site that nobody pays attention to anymore is why you are a conspiracy fantasist. You have a delusional belief in the importance of anybody here being manipulated.

Re:Wikileaks BAAD; CIA Goooood!

> if the info is valid.

Half-truths are still lies.
In fact half-truths are better lies because the part you do know is true.
Its the part you don't know that matters but without proof you can't be sure.

Re:Wikileaks BAAD; CIA Goooood!

You are exactly right and also seem to be describing a wonderful world where all the government secrets are out and the populace has all the info they need to ensure that their own governments are living up to their standards. Assange would in fact win his crusade if governments started leaking real info about eachother to news organizations.

Re:Wikileaks BAAD; CIA Goooood!

[slashrio]

Correction: Wikileaks wouldn't even be there without him.

Re:Wikileaks BAAD; CIA Goooood!

[BlueStrat]

IT HAS NOTHING TO DO WITH THE DETAILS OF VULNERABILITIES

No matter how much you scream & shout, it has everything to do with the details of the vulnerabilities. The whole debate is about whether WL should simply publish the details or should they try to somehow assure, to the best of their ability and within reason, that before the details are published that the vulnerabilities are patched.

The problem is that many of the various software makers in question have contracts and/or agreements with the government and are already quite aware of many of the vulnerabilities. In some cases it's likely they were the ones that put them and/or left them there deliberately at government request.

Trying to secure written and binding assurances that the vulnerabilities will be patched before publication is only rational and logical, and also demonstrably far more conscientious of the public's security and safety than the software makers and the US government.

If the software makers and/or the US government refuses to address the vulnerabilities in a reasonable time and manner, then WL will have no choice but to simply publish the vulnerabilities and their details. Any negative consequences from that point forward from the vulnerabilities being exploited in the wild are solely the responsibility of those software makers and the US government.

As for the rest of your post, you suffer from normalcy bias. It's quite common and encouraged in the current climate. Try being better-read and informed. It's the only way people can keep their privacy and freedom. Those things *can* go away far easier and faster than you might think if the people do not fulfill their responsibilities to stay informed and educate themselves in history as well as current events.

Strat

Re:Wikileaks BAAD; CIA Goooood!

[JasterBobaMereel]

...and Governments/People have now realised that Wikileaks will publish anything they are given no questions on sources asked, as long as they can verify it is real ...and Governments have huge resources to make things look genuine

 

Re:Wikileaks BAAD; CIA Goooood!

[Yunzil]

For instance I disagree that they're being manipulated by Russia, there is no proof for it so why believe the claim?

You're joking, right?

Re:Wikileaks BAAD; CIA Goooood!

[cwsumner]

... Strat

We appreciate you contribution to the discussion, but please don't feed the trolls. It only clutters up the thread. ;-)

I wonder how many of these 0-days are really new

[dcavanaugh]

For all we know, the CIA might have written deliberate vulnerabilities to be patched into production code. Either that, or maybe they bullied software companies into ignoring certain vulnerabilities that would otherwise be fixed. Considering how many tech companies have been enlisted by big-government and how many cover stories have been busted, nothing can surprise me anymore.

Sum it up already...

Micro$oft is in bed with the 3&4 letter agencies?

Re:Sum it up already...

Why not? :-)

They already are pushing their spyware version of Windows on everybody.

Re:Sum it up already...

3&4 letter agencies

NAMBLA is six letters.

Why Aren't the Terms Public?

What the hell?
Why doesn't wikileaks publish the terms for everyone to see?
Are they waiting for someone to leak them?
Seems really hypocritical of them.

After firing most of their QA team, Microsoft...

simply can't commit to timelines. Most of my friends that worked there have either been laid off or quit due to ridiculous hours or vacation inequality, so their best programmers are no longer there. They simply can't fix problems in a timely manner any longer.

Re: I wonder how many of these 0-days are really n

That doesnt make sense. A vulnerability is "new" depending on who you are. Typically they are called "new" when a public disclosure is made. Of course whoever discovered it already knew about it before the disclosure (you understand why, right?) so at that time it is no longer new to them.
If you are asking how many of these are new to the govt , the fact that they are in leaked docentry already answers your question - they are not new to the govt.
If you are asking how many of the are new to blackhats outside the govt , we don't care , because they don't disclose either. And it dosent matter whether it's a govt or non govt blackhat. Either way they are out to get you.

Re:I wonder how many of these 0-days are really ne

Bet there are companies that aren't even aware of it. They just employ programmers, one of which happens to be awesome at the "underhanded-c" contest....

Re:I wonder how many of these 0-days are really ne

[tinkerton]

I see it this way. A vulnerability is found and an exploit is written. As time passes several things happen. The exploit gets distributed because of outsourcing and after a while there really are a lot of people who know about it. Other people also find out about the vulnerability. Some day software maker finds out and the bug is no longer zero day but the exploit will still work on unpatched systems so it sticks around until something much better replaces it.

As for the software company itself,I suspect most companies just take it as it comes. If they find out about a zero day bug they fix it and the CIA keeps silent. For some critical companies it may be different and the CIA may try to negotiate something, claiming nobody else will find out, or making an offer one cannot refuse. But knowing about a bug and not fixing it is complicated. It's not something you want people to find out and chances are they will. Knowing there is a bug but not investing in finding out is a bit easier. One only has limited resources.

Re: After firing most of their QA team, Microsoft.

Heard this lie before from you dude. Why are you trying so hard?

Don't expect much from Apple

they've been known to let NSA/CIA/whoever is calling the shots first insert security vulnerabilities in their software, then dictating Apple to wait months, and months, and more months, before fixing them after they have been discovered and publically announced.

Re:Don't expect much from Apple

Got any proof of that?

Fuck Wikileaks

[DogDude]

Fuck Wikileaks. I initially supported what they were trying to do, but they've proven to be complete assholes.

Re:Fuck Wikileaks

Wikileaks is doing the job no one else wants to do because governments shit all over them every time they do their job. You might as well complain that the firefighters were assholes while they saved your house or that your public attorney was a jerk while he kept you out of jail. Fuck you.

Re:Fuck Wikileaks

[drinkypoo]

You might as well complain that the firefighters were assholes while they saved your house

If the firefighters are refusing to save my house from burning unless I commit to rebuilding it out of nonflammable materials within ninety days, then they are assholes.

Re: Fuck Wikileaks

I don't know? Maybe try building your house out of something other than flash paper and strike anywhere matches?

Re: Fuck Wikileaks

[drinkypoo]

I don't know? Maybe try building your house out of something other than flash paper and strike anywhere matches?

I would like to see the code demand nonflammable materials. I'm actually a renter, but I live in a wooden house in wildfire country. They have a hard-on for controlled burns around here but there have still been a couple of close calls. Whee! I want to build something out of stacked shipping containers (stacked in the orientation in which they are designed to be stacked, but with spacers) for a combination of seismic stability and fire resistance, to say nothing of material re-use.

Re:Fuck Wikileaks

[coofercat]

You're being modded a troll. Want to explain why you think Wikileaks are arseholes? What are they doing that's so bad in this case?

Re:Fuck Wikileaks

[TechnoJoe]

If the government is refusing to cut you a check for your flooded-out home unless you commit to rebuilding it further away from the flood zone, they are being perfectly reasonable.

Re:Fuck Wikileaks

[drinkypoo]

If the government is refusing to cut you a check for your flooded-out home unless you commit to rebuilding it further away from the flood zone, they are being perfectly reasonable.

Yes, that would be great, but unfortunately that's not what they do. Instead, they just try to make it hard for you to get a check no matter what, but then they don't put any restrictions on where you can spend it and then people rebuild on the same floodplain all over again.

How to Google?

https://it.slashdot.org/story/16/12/13/053243/pwc-sends-legal-threats-to-researchers-who-found-critical-security-flaw
https://it.slashdot.org/story/11/10/14/2129228/security-researcher-threatened-with-vulnerability-repair-bill
https://yro.slashdot.org/story/05/01/11/0129228/security-researcher-faces-jail-for-finding-bugs
https://it.slashdot.org/story/15/05/05/2335223/cyberlock-lawyers-threaten-security-researcher-over-vulnerability-disclosure

Seriously, man, it took me like 4 seconds to type "security researcher sued site:slashdot.org" into Google.

Re: How to Google?

[Entrope]

Exactly one of those was a software company, and that company was European and pretty insignificant. That doesn't excuse keeping the details from the major vendors that most people care about.

Re: How to Google?

This is just willful ignorance. Refuse to look at evidence, cherry pick a sampling of evidence presented, and all to push up preconceived notions. No sane thought process there. Just bias, anti-science and reason.

Re:How to Google?

[SwashbucklingCowboy]

Yeah, a few companies have threatened to sue. The Clinton campaign didn't sue Wikileaks. The US hasn't sued them, but Microsoft or Google will? Seriously, get a clue.

Re:How to Google?

[zedaroca]

Read about Weev. He was sued and got jail time. He didn't even publish the flaw itself, just gave proof it existed to journalists. This would be much more serious.
On getting a clue, the Wikileaks "secret" indictment is common knowledge. Everybody knew about it for years when Google informed some people about the seizure of their emails because of that investigation. US officials routinely reply to questions about Wikileaks saying they can't discuss it because of an ongoing investigation. Assange is not attainable now, there is no reason to bring the charges against him, this doesn't mean they will not be sued. After all, they are not Clinton.

Re: How to Google?

[stoatwblr]

Plenty of large software companies have done it, some have been american and some have been _very_ large. I'm aware of a couple of cases where a superinjunction was sought (and granted) - a superinjunction means that you can't even drop hints that there's a court case.

Personal opinion: Given the exploits are in use by greyhats (spy agencies), then blackhats probably have them anyway and rapid disclosure is the prudent path so that whitehats can man the barricades.

MS and others used to be notorious for not fixing bugs in a timely manner.

Re:How to Google?

Read about Weev. He was sued and got jail time. He didn't even publish the flaw itself, just gave proof it existed to journalists.

Proof? A few people would be proof. Publishing personal information on millions of people in an attempt to embarrass AT&T is what he did. Read what he wrote on IRC and it is obvious he's no white hat and belongs in jail. He was convicted and only got of on a technicality.

Re: How to Google?

[Entrope]

My cousin's best friend's college roommate's neighbor has an Internet GED in law, and she said that this has never _ever_ happened. So I'm going to just have to not take your utterly unsubstantiated word for it.

Re:I wonder how many of these 0-days are really ne

[AHuxley]

A few 100 to 10's per year per product cycle? It depends on the average price and the clandestine budget for buying on the open market per year.
Say a budget range for a good exclusive deal per zero day for a new OS or device in the 100 of apps/code/access products?
Thats the positive side that still looks corporate. Its hard to tell who is buying in the mix of buyers globally.
A flood of gov/mil cash in the wild would stand out even with a lot of US/UK front companies every y ear doing the malware buying.
The negative side ensuring no US or UK brand has the skills to find the issue and fix the issue days or months later.
If the security services buy too much in the wild, too many people start to notice and others want that payment or try to follow the payment front.
Other teams then start looking for the funding and find payment methods, staging servers. So the numbers are kept low per year to hide the mil/gov origins.
Also to avoid the better AV efforts and other security professionals from reading chat about too many big new cash payments.
Some are networked, some need a human to place the malware and collect the results.
A lot of different products are needed but too much and its detected by a wider community interested in every aspect of computer security.

Re:This is extortion: nope!

[higuita]

Nope, this is not extortion nor blackmail, it is really trying to get a fix quickly and not letting companies screw their costumers, either by being lazy or by security agencies pressure

If a company gets the bug report and then do not do anything for one year, what wikileaks can do ? release the info before the fix or wait more? either way, it is already too much time for a security bug that is being abused and in the end the info will be public with no one protected and in the end, it will always be wikileaks fault.

better way is to agree the terms of the disclosure, putting hard limits for the fixes timelines. This pressures the company to follow the agreed timeline and release a fix. If they fulfill, everyone wins, if they fail, wikileaks can pressure for the update and depending of the reason for the delay, they can release the info without patch and report that the company failed with the agreement. this proves that wikileaks tried to follow the rules and the fault for the problem is the company.

I think this is totally logic, MS, Oracle and many other companies do not care about security or take way too long to release fixes... as as the article hints, security agencies can pressure to keep the holes open. With a agreement, everyone knows what will happen and the end user will win. Without any agreement, just sending the info to the companies, those bugs could be open for months, being exploit by unknowns and everyone losed.

Just check the security reports, most of then are fixed in a few days, so asking for a date limit is a good thing... as you also find security fixes that took way to long to be fixed

True colors

Assange saying Mozilla cares about their users? That's rich. If Mozilla cared at all about it's users, then why do they do everything possible to fuck up the browser and hurt their users?

WRONG

0-day anything is the same day its first discovered by whomever discovered it......

in piracy a 0-day app crack happens when they crack first appears on TOP SITES not for the public but for top pirates

, in this case a 0-day exploit is when the CIA discovered them and thus NONE of these are now considered 0-day.

the cia is knocking at your door sir

hi we'd lie to talk to you about your net use

Kill the messenger

Seems this is being twisted back on wikileaks, when it should be purely focuses on the WITTING PARTNERS OF THE CIA'S HACKING ACTIVITIES.

Ignore the trolls and misinfo agents.

So you don't know they're demands.

They may be requirements for "responsible disclosure", breech of which would cause their sources to dry up, just like journalists don't blab early from confidential sources to protect their source from being easily tracked.

The least evil organization has already agreed to

[itsphilip]

It's clear that the terms aren't unreasonable and likely for the common good if the only not-for-profit (Mozilla) has already agreed to the conditions

Is receiving information a crime?

[manu0601]

We talk about leaked classified material that remains classified. Does it qualify as a federal crime to accept it?

Re:Is receiving information a crime?

We talk about leaked classified material that remains classified. Does it qualify as a federal crime to accept it?

That depends on the juristiction and I don't know which Wikileaks are running under.

Compare with child porn where you can get prosecuted it it's discovered anywhere on your computer.

Re:Is receiving information a crime?

This is not about the registered location of Wikileaks but that of the US based companies. For them, it may or may not be illegal to access the material.

Re:Is receiving information a crime?

Is it a crime to know? Is it a crime to think?

Re:Is receiving information a crime?

[cwsumner]

In many countries, including the US, it is a crime to accept classified information that you are not cleared for.

If you don't like it, talk to your congressperson.

Priceless

They don't even deserve that consideration.

This makes me happy

A deadline is very necessary in order to prevent circumvention of fixes. Example, it took Google until December of 2016 to release Dirty Cow fixes for Android users. Why? Because a vulnerability patch by intelligence viewpoint means loosing a tool. Just a theory, but I blame the election and wanting to monitor voter chatter. A deadline prevents things like this. Also, for companies that act like they love open source so much, they shouldn't have any trouble caring about their users over profits or have an issue with vulnerabilities and proposed fixes being publicly posted. People that see this as extortion may be for a shock when experienced and responsible programmers look at the vulnerabilities and realize that they may be intentional, either for personal stats gathering or government back scratching.

What.

[stooo]

What ?
Revealing security flaws in a responsible manner is extorsion ?

Re:I wonder how many of these 0-days are really ne

Given how they've acted towards everything else on this planet, chances are it's the CIA going "you claim it was patched without a single change within the code or your children die in jail with you"

Re:This is extortion: nope!

[tinkerton]

I think this is totally logic, MS, Oracle and many other companies do not care about security or take way too long to release fixes...

Actually it is quite possible to be critical about Wikileaks having demands. In principle at least. In practice Wikileaks is being smeared and attacked all day long and if they do not correspond to the highest standards they are regarded as evil. That is not realistic,Wikileaks can be very valuable even if it is very flawed. There are plenty of flaws around with the other players as well but for some reason other standards apply there.
What I would regard as sensible critique is that Wikileaks should try and stick to its core task: being the first step for whistleblowers to reach the public. They should try to limit their responsibility to that. To the extent possible they should avoid publishing themselves. It can be a plan B, but plan A, passing through journalism, should not be dropped even if it is problematic . They can release bugs to companies but don't necessarily have to take on responsibility for the bugs being fixed. So I think Assange is overstretching there. But that doesn't make him bad. It's more a disagreement about strategy.

Why secret?

[CanEHdian]

Anyone able to explain why these agreements/demands are SECRET? There should be ("industry standard"?) nothing stopping WL from publishing them. In the interest of transparancy.

Re:Why secret?

[TechnoJoe]

You have a point. Someone should send those secret demands to WikiLeaks. They'll get the info out. Oh wait...

Re: After firing most of their QA team, Microsoft.

[drinkypoo]

Heard this lie before from you dude. Why are you trying so hard?

Well, who do you think Microsoft is firing?

Re:I wonder how many of these 0-days are really ne

For all we know, M$ and others may have written the code in the first place.

Wikileaks really has crumbled

Wikileaks is now holding information hostage with demands? This shows more than ever before who Julian Assange really is. He is not a hero who helps to release valuable information to the world. He uses whatever he has for his own gains. If I had some government secrets that I thought should be public, he is the last guy I would turn to. I hope they kick him out of the embassy he calls home and feed him to the wolves.

Ahh yes

More proof that wikileaks is a terrorist organization looking to expand it's own pro-authoritarian pro-Putin influence and ensure they have all the backdoors they need to get juicy kompromat for idiotic Americans

Prefer European companies, eh?

[tietokone-olmi]

Or anyway those who don't have a simplistic, easily-probed agreement or other conflict of interest with classified U.S. three-letter agencies. This criteria changes exactly nothing.

Beware the false prophets. Ineffective activism is exactly equivalent to doing nothing at all.

Of course

Of course they have "demands", that's the only way Assange can claim credit for being a "hero". Otherwise they'd just disclose them to the vendor and say they are going public in 90 days like everyone else does. No, instead Julian wants to play act that he's strong-arming "government contracts"

The sooner people figure out that wikileaks is just ego masturbation for Assange the better off we'll be.

what bullshit

they leak govt secrets then have secret demands -this is called the pot calling the kettle black

So you have proof of that laundry?

Or are you assuming it?

And a quick look will show you that WL have posted dirty laundry of both China and Russia. But they haven't recently and this by default would be presumed because they have nothing. If you know this is wrong, where is your evidence of this stuff?

WikiLeaks acting childish? Astonishing.

[michael_wojcik]

The WikiLeakies need to grow up. John Young may be a class-A curmudgeon (I've been on the wrong side of his disgruntlement myself), but Cryptome has been doing this since long before Assange was a gleam in the media's eye, and behaving like a site run by adults in the process.

There are far too many self-important glory-hounds associated with WikiLeaks (starting, of course, with the Fugitive himself). The organization has certainly done good in disclosing some important materials, but is all too easily distracted from its ostensible core mission.

Withholding 0-days from vendors is bad, regardless of whether it's the CIA or WikiLeaks that does it.

Who says the terms offered Mozilla = Those for MS?

It's clear that the terms aren't unreasonable and likely for the common good if the only not-for-profit (Mozilla) has already agreed to the conditions

Are you sure they're offering the same terms to everyone? I'm not, particularly when said terms are apparently secret (rather funny, for a "transparency über Alles" group of people...or rather, group of people who pay lip-service to said philosophy, but only apply it against certain nations, when they feel like it).

RevengeDataPorn

WikiLeaks is no bettaer than the revenge porn creeps who target innocent people and businesses with threats of exposure or fake smear csmpaigns calling someone a whore or a child molestor. Assange is like the politicians since he himself is trying to gain power over others regardless of the damage and pain he inglicts on others.

Re:This is extortion: nope!

Assange has been evil ever since he asked Amnesty International and other similar groups for $700,000 to remove names of Afghan civilians who might get killed by the Taliban if their names get released on Wikileaks.

In my mind, he's no longer one of the good guys, even if he is releasing interesting information.

Bullshit

[Rujiel]

Wikileaks isn't obligated to fix your 0days for you. If you don't want the help, just do it yourself.

Re:This is extortion: nope!

[higuita]

AFAIK, that info is a rumor, probably spread to make wikileaks look bad

yes, they released docs with names, they said they should have been more careful, but i never saw any real news about that money, only random forum posts