Slashdot Mirror

← Back to Stories (view on slashdot.org)

WikiLeaks Won't Tell Tech Companies How To Patch CIA Zero-Days Until Demands Are Met (fortune.com)

Posted by EditorDavid on from the secrets-about-secrets dept.

"WikiLeaks has made initial contact with us via secure@microsoft.com," a Microsoft spokesperson told Motherboard -- but then things apparently stalled. An anonymous reader quotes Fortune: Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security "zero days" and other surveillance methods in the possession of the Central Intelligence Agency... Wikileaks' demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard's sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions.
Julian Assange announced Friday that Mozilla had already received information after agreeing to their "industry standard responsible disclosure plan," then added that "most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA." Assange suggested users "may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves."

38 of 228 comments (clear)

  1. This is extortion by Anonymous Coward · · Score: 5, Informative

    This is extortion. It's one thing to disclose leaked information to expose corruption, which is something good journalists do. However, journalism doesn't involve using leaked information as leverage to make demands. That is called extortion or blackmail. Wikileaks has shown that, at best, it's a criminal organization. I'm dismayed that so many people at Slashdot always rush to defend Wikileaks and Julian Assange in articles like these. It says a lot about the complete lack of character of most of the users on this site, which is also why there is so much tech-related crime. All of you should he ashamed of yourselves.

    1. Re:This is extortion by green1 · · Score: 5, Insightful

      Depends what the agreement is.

      It could simply have been, we'll disclose this to you, if you promise not to sue us for posting it publicly after 90 days. That would be quite reasonable.

      You'r rushing to judge them without all the facts. But that's in vogue these days.

    2. Re:This is extortion by Megol · · Score: 5, Interesting

      I wonder why wikileaks doesn't leak the agreement terms?

    3. Re: This is extortion by Entrope · · Score: 4, Interesting

      Has any software vendor of note tried to sue people for public disclosure of security flaws? If so, what was the outcome?

      I struggle to see a good-faith reason for WikiLeaks to require agreement to any terms before they tell vendors about these flaws. It gives the impression that they want the bugs to stay open and/or have a political stick to beat the vendors with.

    4. Re:This is extortion by Anubis+IV · · Score: 4, Insightful

      Regardless, what of it? Extortion is wrong. Period. The fact that someone else extorted first doesn't make your extortion of others right.

    5. Re:This is extortion by Mephistophocles · · Score: 4, Interesting

      This is extortion.

      No, it isn't. Extortion is defined as the use of force or threat to achieve a gain of some sort for the party threatening the use of force (i.e., I put a gun to your head and say "I won't shoot you if you give me $100, otherwise I will").

      It also isn't blackmail unless Wikileaks is attempting to achieve some sort of gain for themselves by threatening to release the information publicly unless these companies fail to pay them.

      In other words, if wikileaks isn't gaining anything (money etc) from this, it isn't extortion or blackmail. It's Wikileaks allowing the tech companies to fix the holes the CIA created before they release information about those holes to the general public - thereby possibly allowing the tech companies to save face. That makes sense, since it's quite possible that it's no fault of any of these companies that the CIA decided to completely trash their products in the name of spying on everyone. The damage is already done, in other words, and there's really nothing stopping Wikileaks from just telling the world what the damage is. It's kind of nice of them to give Microsoft etc some breathing room first, so that when they do release details on the damage done, they can also include information that shows these tech companies have already fixed the problems.

      --
      Deja Moo: The distinct feeling that you've heard this bull before.
    6. Re:This is extortion by Anonymous Coward · · Score: 2, Insightful

      So when Wikileaks releases raw dumps of leaked data, they get criticized because the data wasn't "curated" and personal information like cc numbers, phone numbers and addresses, social security, etc. are exposed. But when Wikileaks holds back information because the information contains sensitive and potentially harmful data , they get criticized. Wish you critics would make up your fucking mind.

    7. Re:This is extortion by bill_mcgonigle · · Score: 5, Interesting

      Wish you critics would make up your fucking mind.

      You expect the CIA to not have professional complainers on the Internet? Cute. Look above and you have a guy who admits he does work for the "Navy" calling Wikileaks extortionists already (that word does not mean what he thinks it means).

      We can be quite sure Wikileaks isn't asking for anything for themselves for the disclosure (because they never have) - it seems like they must be asking for something for the users in return or they could just do a Project Zero type of disclosure.

      MoFo obviously didn't have a problem with the terms, so it's not going to be something against user freedom (say what you want about Rust and WebExtensions, they get the freedom part mostly right). But MoFo doesn't have an ongoing private relationship with intelligence agencies, and that's what they claim the issue is about, so it passes the smell test. n.b. Wikileaks is apparently leveraging one disclosure for another disclosure.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    8. Re:This is extortion by Anonymous Coward · · Score: 2, Insightful

      Why don't the tech companies that received the emails do it? The sources from the stories obviously are employees from the companies contacted and spoke to the journalist. Why don't they leak the agreement terms?

    9. Re:This is extortion by Anonymous Coward · · Score: 5, Informative

      Regardless, what of it? Extortion is wrong. Period. The fact that someone else extorted first doesn't make your extortion of others right.

      Regardless of what world you may personally live in, be aware that people of integrity follow certain protocols. In this case, Assange did not even need to ask and could have simply released the material. However, he put it to a public vote as to what should happen.

      The public voted that the material should be released to the technology companies. As part of that, there are certain conditions that a company is expected to follow, such as ensuring that the bug is patched within 90 days. Now, Anubus IV, why do you think that might be? I'll tell you, as it obviously flew over your head. The reason they have the 90-day window is so that WikiLeaks can release the material after that window has passed, and know that what is being released won't cause a metric tonne of exploits to suddenly be available to every machiavellian individual on the planet.

      Is that extortion? No, that is prudence and not being a dick.

      For the record, I voted against it being reported to the technology companies, as I know they are the problem. That Microsoft is framing matters the way they are, only serves to prove my point; they have chosen to be dicks, and invariably that is what they do.

    10. Re:This is extortion by The+Real+Dr+John · · Score: 5, Interesting

      How can anyone say this is extortion? Why did Mozzila sign the honesty form ("industry standard responsible disclosure plan,")? Maybe because they are more honest than MS? Maybe because they have nothing to hide? This is an attempt to shame the cowardly tech giants that have been in on this crap from the beginning. Sign the form, fix the holes!

      --
      A brain is a terrible thing to waste... Mind? That's debatable.
    11. Re: This is extortion by AmiMoJo · · Score: 5, Insightful

      They are doing it to find out which vendors are in bed with the CIA. If they won't agree to fix the bug in 90 days up front, chances are it's because they don't want to commit to fixing something that the CIA might be using with their knowledge/support.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    12. Re: This is extortion by Entrope · · Score: 5, Insightful

      Equally plausible: They're doing it because they're a front for the Kremlin.

    13. Re: This is extortion by Entrope · · Score: 2

      Found the neoMcCarthyite.

      Another useful idiot self-identifies.

      I do not think either hypothesis is convincing -- but they are basically equally plausible.

      Any person or company with a US security clearance can lose it if they solicit the unauthorized disclosure of classified information. If they agree to Wikileaks' terms, that would probably qualify as a serious security violation; even talking with Wikileaks about the subject might qualify. That doesn't mean they are "in bed with" the CIA, only that they do work related to national security and wish to continue doing that.

      There are lots of other reasons that a company would refuse to agree to terms dictated by a party with details of security problems. Some examples: it sets a bad precedent, it suggests the possibility of corruption, and there is seldom any way to enforce compliance.

      Because there are so many reasons that companies would reject terms dictated by Wikileaks, and not want to negotiate terms, it is either naive or malicious to infer that companies who refuse Wikileaks's terms did so because they have secret deals with the CIA or anything else to hide.

    14. Re: This is extortion by Anonymous Coward · · Score: 3, Insightful

      Wow, tinfoil hat much?

      The more likely solution is that companies aren't willing to agree to fix a set of bugs within 90 days without even knowing what that set of bugs is. I think it would be incredibly irresponsible for someone to agree to do a set of work in a set timeframe without even knowing what that work is.

    15. Re:This is extortion by poity · · Score: 4, Insightful

      Wikileaks: I need guarantees that you will use this information to the benefit of your users rather than the government
      Microsoft: We'll get back to you on that
      Media: Wikileaks isn't helping Microsoft unless demands are met
      Media Consumers: WTF I HATE WIKILEAKS

      --
      your thin skin doesn't make me a troll
    16. Re: This is extortion by AmiMoJo · · Score: 2

      Either way, it's of massive benefit to us.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. This just in by 93+Escort+Wagon · · Score: 2, Insightful

    Assange fighting to stay relevant by any means possible. News at 11.

    --
    #DeleteChrome
    1. Re:This just in by bug1 · · Score: 4, Insightful

      More news is coming in;

      Person complains that a small group of freedom fighters arent fighting hard enough to protect their interests, suggests they should try harder.

      They further complain about having to get out of bed, suggesting someone else should do it for them.

    2. Re:This just in by Anonymous Coward · · Score: 4, Insightful

      Wait, are you saying Assange is a freedom fighter?

      So why is he in bed with authoritarians like Putin, Farage, and has engaged in mutual praise with Trump? Even if you believe there's no official connection then Assange is a regular on Russia's state propaganda channel RT, has met up with Farage in the Ecuadorian embassy:

      https://www.rt.com/tags/the-ju...

      https://www.theguardian.com/co...

      You have a funny definition of freedom if it means support and praise of people who back things like elimination of civil liberties, strict control of speech, elimination of equality, and convergence towards dictatorship.

      Assange is the last person I'd want fighting for my freedom, because he doesn't believe in freedom, he believes in absolute rule by only those who he personally agrees with and is trying to support that using Wikileaks.

    3. Re:This just in by orzetto · · Score: 3, Interesting

      You have a funny definition of freedom if it means support and praise of people who back things like elimination of civil liberties, strict control of speech, elimination of equality, and convergence towards dictatorship.

      You have a funny definition of freedom yourself if you think that it means developing and collecting techniques to use your personal electronics as spies for the government. Whatever Assange's relation to the Kremlin may be: on this specific issue they are fighting for your and my freedom with much more impact than any soldier ever had in the past 70 years.

      Assange [...] doesn't believe in freedom, he believes in absolute rule by only those who he personally agrees with [...]

      According to a 2011 interview with Forbes, Assange is some sort of libertarian. Now I tend more to what is called socialist in the US, and believe little in trickle-down economy and market shenanigans, but you are describing a fascist, which Assange has never given any reason to believe he is. On the other hand, the people who "believe in absolute rule" are also those who collect and use the hacking tricks used by the CIA. So what kind of fascist would ever disarm the brown shirts?

      --
      Victims of 9/11: <3000. Traffic in the US: >30,000/y
  3. Re: Sounds reasonable to me by amiga3D · · Score: 2, Insightful

    There are no good guys in this scenario. Wikileaks is so focused on their little crusade for openness that they've adopted the same "the end justifies the means" approach as the CIA and NSA.

  4. I wonder how many of these 0-days are really new by dcavanaugh · · Score: 2

    For all we know, the CIA might have written deliberate vulnerabilities to be patched into production code. Either that, or maybe they bullied software companies into ignoring certain vulnerabilities that would otherwise be fixed. Considering how many tech companies have been enlisted by big-government and how many cover stories have been busted, nothing can surprise me anymore.

  5. After firing most of their QA team, Microsoft... by Anonymous Coward · · Score: 5, Informative

    simply can't commit to timelines. Most of my friends that worked there have either been laid off or quit due to ridiculous hours or vacation inequality, so their best programmers are no longer there. They simply can't fix problems in a timely manner any longer.

  6. Re:Wikileaks BAAD; CIA Goooood! by belthize · · Score: 5, Insightful

    The world will make a lot more sense when you realize it's possible for both sides to be bad. Comparative ethics is not a zero sum game.

    Wikileaks' intent to provide an outlet for whistle blowers to uncover corruption in various governments and and corporations had a lot of merit. Unfortunately the very model of "we don't care where it came from, we just post it" is its undoing. It didn't take long for governments to figure out if you can destroy it, use it.

    They thought they could turn over the chess board, but they're just another pawn.

  7. Fuck Wikileaks by DogDude · · Score: 4, Interesting

    Fuck Wikileaks. I initially supported what they were trying to do, but they've proven to be complete assholes.

    --
    I don't respond to AC's.
    1. Re:Fuck Wikileaks by drinkypoo · · Score: 4, Insightful

      You might as well complain that the firefighters were assholes while they saved your house

      If the firefighters are refusing to save my house from burning unless I commit to rebuilding it out of nonflammable materials within ninety days, then they are assholes.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  8. Re:Wikileaks BAAD; CIA Goooood! by tinkerton · · Score: 4, Interesting

    I don't expect Wikileaks to be saintly and I think it's not necessary for them to be above all criticism in order to be valuable. Checks and balances are important because there is no good guy that you can trust with too much power. And Wikileaks both has value in it, and is one of the guys you can't trust with too much power.

    That doesn't mean I believe the criticism about Wikileaks. That's just a giant and very successful FUD campaign.
    For instance I disagree that they're being manipulated by Russia, there is no proof for it so why believe the claim?
    The article above is just part of it. Wikileaks is asking the companies to sign something. That must be bad! Just look at all the posts on here. No, that doesn't have to be bad. It can be about wikileaks being paranoid about their action being used against them somehow. It can be about requiring the company to commit to actually fixing the bug within a certain period.It could be a mediocre decision by Wikileaks. That would still not be reason to make a big fuss about it.

  9. How to Google? by Anonymous Coward · · Score: 4, Informative

    https://it.slashdot.org/story/16/12/13/053243/pwc-sends-legal-threats-to-researchers-who-found-critical-security-flaw
    https://it.slashdot.org/story/11/10/14/2129228/security-researcher-threatened-with-vulnerability-repair-bill
    https://yro.slashdot.org/story/05/01/11/0129228/security-researcher-faces-jail-for-finding-bugs
    https://it.slashdot.org/story/15/05/05/2335223/cyberlock-lawyers-threaten-security-researcher-over-vulnerability-disclosure

    Seriously, man, it took me like 4 seconds to type "security researcher sued site:slashdot.org" into Google.

    1. Re:How to Google? by zedaroca · · Score: 2

      Read about Weev. He was sued and got jail time. He didn't even publish the flaw itself, just gave proof it existed to journalists. This would be much more serious.
      On getting a clue, the Wikileaks "secret" indictment is common knowledge. Everybody knew about it for years when Google informed some people about the seizure of their emails because of that investigation. US officials routinely reply to questions about Wikileaks saying they can't discuss it because of an ongoing investigation. Assange is not attainable now, there is no reason to bring the charges against him, this doesn't mean they will not be sued. After all, they are not Clinton.

  10. Re:Sum it up already... by Anonymous Coward · · Score: 2, Funny

    3&4 letter agencies

    NAMBLA is six letters.

  11. Re:Wikileaks BAAD; CIA Goooood! by belthize · · Score: 4, Interesting

    If they're not they will be. It's bloody trivial for a government to gather damning info on another country, leak it to wikileaks and wait for them to get all the flak.

    I never brought up Russia though I understand why you'd assume I was talking about them. The US, Russia, China, literally any country or any organization can selectively leak info on competitors if they haven't figured out they can do this (and I'm sure they have) then they will.

    It's trivial to manipulate Wikileaks by only leaking the narrative you want told.

  12. The least evil organization has already agreed to by itsphilip · · Score: 2

    It's clear that the terms aren't unreasonable and likely for the common good if the only not-for-profit (Mozilla) has already agreed to the conditions

  13. Re: Sounds reasonable to me by Imrik · · Score: 2

    The point is that it doesn't matter what the ends are if the means are the problem.

  14. Re: Of course it's easy for Mozilla... by Imrik · · Score: 2

    There's a good chance you could count Firefox's market share percentage using the fingers on one hand.

    That's hardly surprising, I can count to nearly a 1/3 market share with the fingers on one hand.

  15. What. by stooo · · Score: 2

    What ?
    Revealing security flaws in a responsible manner is extorsion ?

    --
    aaaaaaa
  16. Why secret? by CanEHdian · · Score: 3, Interesting

    Anyone able to explain why these agreements/demands are SECRET? There should be ("industry standard"?) nothing stopping WL from publishing them. In the interest of transparancy.

    --
    When the copyright term is "forever minus a day", live every day like it's the last.
  17. Re: After firing most of their QA team, Microsoft. by drinkypoo · · Score: 3, Interesting

    Heard this lie before from you dude. Why are you trying so hard?

    Well, who do you think Microsoft is firing?

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"