Slashdot Mirror

← Back to Stories (view on slashdot.org)

WikiLeaks Won't Tell Tech Companies How To Patch CIA Zero-Days Until Demands Are Met (fortune.com)

Posted by EditorDavid on from the secrets-about-secrets dept.

"WikiLeaks has made initial contact with us via secure@microsoft.com," a Microsoft spokesperson told Motherboard -- but then things apparently stalled. An anonymous reader quotes Fortune: Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security "zero days" and other surveillance methods in the possession of the Central Intelligence Agency... Wikileaks' demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard's sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions.
Julian Assange announced Friday that Mozilla had already received information after agreeing to their "industry standard responsible disclosure plan," then added that "most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA." Assange suggested users "may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves."

10 of 228 comments (clear)

  1. This is extortion by Anonymous Coward · · Score: 5, Informative

    This is extortion. It's one thing to disclose leaked information to expose corruption, which is something good journalists do. However, journalism doesn't involve using leaked information as leverage to make demands. That is called extortion or blackmail. Wikileaks has shown that, at best, it's a criminal organization. I'm dismayed that so many people at Slashdot always rush to defend Wikileaks and Julian Assange in articles like these. It says a lot about the complete lack of character of most of the users on this site, which is also why there is so much tech-related crime. All of you should he ashamed of yourselves.

    1. Re:This is extortion by green1 · · Score: 5, Insightful

      Depends what the agreement is.

      It could simply have been, we'll disclose this to you, if you promise not to sue us for posting it publicly after 90 days. That would be quite reasonable.

      You'r rushing to judge them without all the facts. But that's in vogue these days.

    2. Re:This is extortion by Megol · · Score: 5, Interesting

      I wonder why wikileaks doesn't leak the agreement terms?

    3. Re:This is extortion by bill_mcgonigle · · Score: 5, Interesting

      Wish you critics would make up your fucking mind.

      You expect the CIA to not have professional complainers on the Internet? Cute. Look above and you have a guy who admits he does work for the "Navy" calling Wikileaks extortionists already (that word does not mean what he thinks it means).

      We can be quite sure Wikileaks isn't asking for anything for themselves for the disclosure (because they never have) - it seems like they must be asking for something for the users in return or they could just do a Project Zero type of disclosure.

      MoFo obviously didn't have a problem with the terms, so it's not going to be something against user freedom (say what you want about Rust and WebExtensions, they get the freedom part mostly right). But MoFo doesn't have an ongoing private relationship with intelligence agencies, and that's what they claim the issue is about, so it passes the smell test. n.b. Wikileaks is apparently leveraging one disclosure for another disclosure.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    4. Re:This is extortion by Anonymous Coward · · Score: 5, Informative

      Regardless, what of it? Extortion is wrong. Period. The fact that someone else extorted first doesn't make your extortion of others right.

      Regardless of what world you may personally live in, be aware that people of integrity follow certain protocols. In this case, Assange did not even need to ask and could have simply released the material. However, he put it to a public vote as to what should happen.

      The public voted that the material should be released to the technology companies. As part of that, there are certain conditions that a company is expected to follow, such as ensuring that the bug is patched within 90 days. Now, Anubus IV, why do you think that might be? I'll tell you, as it obviously flew over your head. The reason they have the 90-day window is so that WikiLeaks can release the material after that window has passed, and know that what is being released won't cause a metric tonne of exploits to suddenly be available to every machiavellian individual on the planet.

      Is that extortion? No, that is prudence and not being a dick.

      For the record, I voted against it being reported to the technology companies, as I know they are the problem. That Microsoft is framing matters the way they are, only serves to prove my point; they have chosen to be dicks, and invariably that is what they do.

    5. Re:This is extortion by The+Real+Dr+John · · Score: 5, Interesting

      How can anyone say this is extortion? Why did Mozzila sign the honesty form ("industry standard responsible disclosure plan,")? Maybe because they are more honest than MS? Maybe because they have nothing to hide? This is an attempt to shame the cowardly tech giants that have been in on this crap from the beginning. Sign the form, fix the holes!

      --
      A brain is a terrible thing to waste... Mind? That's debatable.
    6. Re: This is extortion by AmiMoJo · · Score: 5, Insightful

      They are doing it to find out which vendors are in bed with the CIA. If they won't agree to fix the bug in 90 days up front, chances are it's because they don't want to commit to fixing something that the CIA might be using with their knowledge/support.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re: This is extortion by Entrope · · Score: 5, Insightful

      Equally plausible: They're doing it because they're a front for the Kremlin.

  2. After firing most of their QA team, Microsoft... by Anonymous Coward · · Score: 5, Informative

    simply can't commit to timelines. Most of my friends that worked there have either been laid off or quit due to ridiculous hours or vacation inequality, so their best programmers are no longer there. They simply can't fix problems in a timely manner any longer.

  3. Re:Wikileaks BAAD; CIA Goooood! by belthize · · Score: 5, Insightful

    The world will make a lot more sense when you realize it's possible for both sides to be bad. Comparative ethics is not a zero sum game.

    Wikileaks' intent to provide an outlet for whistle blowers to uncover corruption in various governments and and corporations had a lot of merit. Unfortunately the very model of "we don't care where it came from, we just post it" is its undoing. It didn't take long for governments to figure out if you can destroy it, use it.

    They thought they could turn over the chess board, but they're just another pawn.