Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Electronic Frontier Foundation Encryption Security

Hey CIA, You Held On To Security Flaw Information -- But Now It's Out. That's Not How It Should Work (eff.org) 246

Cindy Cohn, writing for EFF: The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices -- including Android phones, iPhones, and Samsung televisions -- that millions of people around the world rely on. The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we're all made less safe by the CIA's decision to keep -- rather than ensure the patching of -- vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.
This discussion has been archived. No new comments can be posted.

Hey CIA, You Held On To Security Flaw Information -- But Now It's Out. That's Not How It Should Work

Comments Filter:
  • by ISoldat53 ( 977164 ) on Wednesday March 08, 2017 @09:44AM (#53999433)
    Is it the CIA's responsibility to point these out? How many "flaws" are intentional?
    • by Anonymous Coward on Wednesday March 08, 2017 @09:46AM (#53999451)
      Did you not read the summary?

      Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

      It's their job.

      • by phayes ( 202222 )

        Says who?

        • by thegarbz ( 1787294 ) on Wednesday March 08, 2017 @10:12AM (#53999625)

          Says the CIA on their about page under responsibilities of the director.

          Correlating and evaluating intelligence related to the national security and providing appropriate dissemination of such intelligence;

          • And, in your mind, there will never be any problem deciding what is appropriate?

            It seems to me to be a typical document meant to cast an 'appropriate' image of an agency whose very nature makes it impossible to easily explain its actions.

            I find this action by Wikileaks to be disturbing by its timing. The contents shouldn't be a total surprise.

            There's been plenty of hints going back years. In 2003 we had OnStar versus the FBI. A couple of years ago Verizon tried to patent an invention that made your TV bo

            • by Anonymous Coward on Wednesday March 08, 2017 @11:12AM (#54000011)

              The problem with not having this released by Wikileaks is that until now, the people who claimed this capability existed were labeled as paranoid conspiracy theorists. Same thing with Snowden's leaks. I saw a column in the USA Today just now that said Americans don't need to worry because the CIA doesn't spy on Americans. Utter crap. They give the tools to European agencies to spy on us in the USA and we spy on their citizens for them.
              National security does not justify whatever they want to do. They no longer fear prosecution because no one faced consequences after the Snowden leaks.
              Basically, if nothing happens now except a manhunt for the whistleblower, we are all freaking doomed.

              • by hesiod ( 111176 )

                National security does not justify whatever they want to do.

                But 9/11! We need to be protected!

          • by gnick ( 1211984 )

            Correlating and evaluating intelligence related to the national security and providing appropriate dissemination of such intelligence;

            The definition of the word "appropriate" makes all the difference in that statement. Is it "appropriate" to sacrifice capabilities in the name of improving the public's general digital security?

            • Is it "appropriate" to sacrifice capabilities in the name of improving the public's general digital security?

              That depends on what is more important. Protecting yourself or protecting the people. Lets face it, it hasn't been the latter for a long time.

              • by phayes ( 202222 )

                Some parts of the USG have the mission to protect us: CERT for example.

                Some parts have the mission to get evaluate and distribute information to the State dept and the rest of the executive branch. CIA/NSA/...

                Anyone who claims that both are not needed and the USG should only "Protect us" are either lying or idealistic fools. Which are you?

          • by T.E.D. ( 34228 ) on Wednesday March 08, 2017 @11:11AM (#53999999)

            Correlating and evaluating intelligence related to the national security and providing appropriate dissemination of such intelligence;

            "intelligence" is government-speak for information they took from someone. If your desk safe has a factory combination that always works, that isn't "intelligence". The contents of what they found inside your safe when they used that combo is intelligence.

            So no, its not their job to warn US citizens if they are vulnerable domestically. That's called "domestic counter-intelligence", and is explicitly the FBI's job.

            Sure, it would be nice if the CIA did it anyway. But if that burns a method they are finding useful themselves to do things that ARE their job, I wouldn't hold my breath.

            • All this says is that you are ok with the CIA operating on its own agenda.
          • There's nothing in that italicized statement that states it's their responsibility to ensure your right to privacy.

            There's nothing in that statement that states it's their responsibility to disclose vulnerability information to the holes can be patched

          • by phayes ( 202222 )

            They "correlate and evaluate" to the State department and other entities of the USG.

            The "Disseminating information" part of their mission does not mean that they must (or should) inform corporate entities of their bugs.

      • Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

        Security yes... abroad. Privacy: not so much.

        The CIA has been historically responsible for international operations, including spying in and on foreign nations. The FBI is supposed to do those things inside the country.

        • As long as commercial interests and hence the national security interests and hinge to no small part on the economic stability and power of the US use the same tools that private citizens use, protecting our privacy is basically collateral damage of protecting the US national security.

      • by ThomasBHardy ( 827616 ) on Wednesday March 08, 2017 @10:11AM (#53999619)

        While I find the abusive techniques being reported as abhorrent as the next fellow, I would challenge the assertion that it's their job to disclose security issues.

        I'm not saying that they morally are not obligated. They are morally obligated to do so, in my personal opinion, to maintain the general fabric of security for the country.

        But I'm not so sure that they have a legal obligation to do so.

        There are some pretty convincing cases where they could argue that an obscure exploit can be disclosed and upgrade the digital security of the nation by 0.01% or they could hold onto it and use it to help prevent specific bad actors with big plans.

        So yes, while I'd like to think we're all above board and working towards a bright shiny future with full disclosure, I'm not sure that the charter for agencies running covert ops lists vulnerability disclosure as their operational mandate.

        • by AmiMoJo ( 196126 ) on Wednesday March 08, 2017 @11:24AM (#54000109) Homepage Journal

          They knew that Samsung TVs could be used to spy on people via their cameras and microphones. Samsung TVs are quite popular. It's likely that they are in sensitive places, like meeting rooms of US corporations, hospitals, newsrooms etc. And in all likelihood, the Russians and the Chinese and the Iranians and the North Koreans and GCHQ and many other intelligence agencies know all this too. I wouldn't be at all surprised if for-hire black hats knew as well.

          So the CIA has a choice. Sit on this information and use it to gather intel themselves, but leaving the US at severe risk, or publish and give up their capability but also deny it to their adversaries. They must have either decided that the intel was more valuable than the loss to US citizens and corporations, or more likely never even had this discussion.

          • Samsung TVs are quite popular. It's likely that they are in sensitive places, like meeting rooms of US corporations, hospitals, newsrooms etc.

            It's worse than that. These TVs don't just end up there, they're actively marketed at these places because they can install various video conferencing apps and avoid the need to have a separate computer to control the video conferencing system.

            • Samsung TVs are quite popular. It's likely that they are in sensitive places, like meeting rooms of US corporations, hospitals, newsrooms etc.

              It's worse than that. These TVs don't just end up there, they're actively marketed at these places because they can install various video conferencing apps and avoid the need to have a separate computer to control the video conferencing system.

              So let me get this straight. The CIA works with Samsung to market TV to specific people and corporations and then also interferes by back dooring these specific tv's before shipping them out? Because it's already been proven the TV's can't be accessed remotely without first having physical access (usb port) and modifying them.

      • I disagree (Score:5, Insightful)

        by Weaselmancer ( 533834 ) on Wednesday March 08, 2017 @10:28AM (#53999731)

        It is the job of the CIA to collect intelligence. Central Intelligence Agency, right there in the name. It's not their job to post software patches.

        I think what Cindy Cohn meant was "it would sure be nice if the CIA had let us know about the problems rather than keep them secret", and I agree that would have been awfully nice of them - but wanting the CIA to reveal tactical information that helps it do its job is silly.

        They're a spy agency, folks. This is what spies do.

        • I thought CIA stood for confidentiality, integrity, and availability and that was the mission of this agency!
      • Did you not read the summary?

        Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

        It's their job.

        I hate to disagree, but isn't that the FBI's job domestically? At least it's going to be part of Homeland Security or something...The CIA is specifically limited to gathering forgiven intelligence isn't it?

    • by goombah99 ( 560566 ) on Wednesday March 08, 2017 @09:57AM (#53999513)

      It's like how when the CIA discovers a Russian General has a secret to hide they never black mail him but immediately notify the Russian Authorities of their vulnerability.

      • by nomadic ( 141991 )
        Pretty much. This story makes zero sense. The CIA didn't just happen to find security flaws, they intentionally looked for them so they could exploit them.
      • Re: (Score:2, Insightful)

        by Archtech ( 159117 )

        It's like how when the CIA discovers a Russian General has a secret to hide they never black mail him but immediately notify the Russian Authorities of their vulnerability.

        That's logical, because Russia - like the USA - is the CIA's enemy.

      • The CIA doesn't have a responsibility to Russia. If their officials have personal vulnerabilities, those vulnerabilities are exclusively Russian. Software vulnerabilities aren't exclusively Russian. These vulnerabilities affect American citizens. They affect American troops and officials. They affect American government agencies. The risk is not simply that the vulnerabilities will be discovered by foreign intelligence, but that any one of thousands of employees and contractors could sell the entire archive

      • Except all the US generals have the exact same secret, and are equally vulnerable to blackmail. As do their politicians, corporations, citizens, and allies.

        So by not notifying anyone, they're leaving their own country wide open to the Russians, Chinese, Mossad, other nations, organised crime etc, who they are hoping desperately haven't and won't ever notice the same secret themselves. They can't even tell if it's already happened. It's pure security through obscurity, and we've just seen that it didn't work

    • by Opportunist ( 166417 ) on Wednesday March 08, 2017 @10:27AM (#53999723)

      It's the CIAs job to protect Americans and keep them safe. Its job also includes protecting the US' trade secrets and commercial interests. And that by definition entails making sure that enemies of the US, be it military or economic, cannot abuse security problems that may affect US interests.

      In other words, yes, pointing those security flaws out to manufacturers and making sure that these flaws cannot be abused by enemies of the US and its assets is pretty much the definition of the CIA mandate.

    • I cannot resist. "In Soviet Russia, TV watches you." More seriously, it looks like 1984 was a documentary...
      • Actually, 1984 was an Oracle or Nostradamus prediction - only thing - happened to be off by 32 years
        • Apple released the G5 iMac - a wall-mountable computer embedded in a display with a camera and network interface built in - on the 20th anniversary of their 1984 superbowl commercial, which ran with the tagline 'why 1984 won't be like 1984'. Apparently the reason was that it will take 20 years to get it into production.
  • I don't agree (Score:2, Informative)

    by Anonymous Coward
    The NSA is supposed to help and disclose vulnerabilities to the US at the evry least, rather than exploit them. The CIA on the other hand has no such goal, and the sole reason to search vulnerabilities is to exploit them onto every other countries.
    • "Let the USA burn to ashes, as long as we manage to destroy Russia in the process"?

      • by phayes ( 202222 )

        So the NSA/CIA/... are now the publicly financed bug tracking unit of Apple/Google/Microsoft/ZTE/Huawei/Samsung/etc ?!?

        Saying otherwise is "Let the USA burn to ashes, as long as we manage to destroy Russia in the process"?!?!

        • They are also meant to be an external department of DEA, by arresting drug smugglers instead of taking their money to fund own operations.

          They are also meant to be the American-funded police of Mexico, and customs agency, in order not to aid smuggling weapons to Mexican mafia.

          Oh, and they are meant to be bodyguards of democratically elected politicians in South America, in order not to aid the local dictators in assassinating them.

          And they definitely should open public-funded hospitals to aid people, so tha

          • by phayes ( 202222 )

            You need to tell whoever it is that is feeding you these "meant to" lines to knock off the psychotropics. None of that has anything to do with the missions of the CIA/NSA.

    • Re:I don't agree (Score:5, Insightful)

      by Fire_Wraith ( 1460385 ) on Wednesday March 08, 2017 @10:07AM (#53999591)
      You are incorrect. The NSA does have an explicit Information Assurance mission, but it also has an intelligence collection mission. Also, while the CIA does not have an explicit IA mission, its ultimate goal is the defense of the nation, which does not preclude issuing warnings about uncovered vulnerabilities.

      The problem is that they both have two conflicting goals when it comes to a discovered vulnerability, which can be used both by others to attack us, but also can be used by those agencies to gather intelligence. The term for it in the Intelligence Community is the "Equities Problem." This wasn't an issue in the past, because in the days of the Cold War for instance, the systems/codes/etc the Soviets were using were entirely different from American ones. Discovering a vulnerability in a Soviet cryptography system was only useful for intelligence gathering, whereas patching a vulnerability in an American cryptography system would not imperil our foreign intelligence collection activities.

      In today's world however, everyone basically uses the same systems. This presents a quandary for the three-letter-agency folks. Do we patch everything and shut off our ability to gain information, possibly missing key information about a future attack? Do we keep the vulnerabilities secret to enable more collection, knowing that one of those vulnerabilities will someday be used to attack us and that we could have prevented it? Do we somehow try and muddle through, knowing that we may wind up with the worst of both?
      • Re:I don't agree (Score:5, Insightful)

        by tinkerton ( 199273 ) on Wednesday March 08, 2017 @10:42AM (#53999823)

        Seems there is another problem. Suppose you start from agencies with well defined responsibilities with their matching checks to control them(well, hypothetically, let's say 'better defined') The FBI is domestic but has its constraints. The NSA does hacking but has its constraints . The CIA does spying.
        Then if the CIA expands into the domestic front and into the hacking front without the constraints, (and the foreign intervention front as well, it could be said), you have a problem with unchecked power. The common response though is 'the CIA is defending us they don't need to be constrained.' Yeah right. The whole security apparatus has gotten completely out of hand.

        • That is another problem area, and partly why we've seen the push for more things that could potentially be abused. Back in the day (so to speak), if you were spying on a radio broadcast from within the USSR, it was pretty clear that's what it was. You'd have to put your listening post somewhere close(r) to Russia. It wouldn't be in the middle of Kansas. Geography would make for a pretty clear definition. If you tapped phone calls in the USSR, you were pretty likely to get Soviets and not Americans, because
      • "National Security" is not the same as "Personal Security". While they are related at times please do not conflate the two.

        One is about the defense of the nation as a whole and is clearly a government responsibility, the other is only a government responsibility in as far as law enforcement and regulations are concerned.

  • by Anonymous Coward on Wednesday March 08, 2017 @09:46AM (#53999447)

    The CIA doesn't have the interest of the American public. They're used to committing illegal acts to get things done. Look up Iran Contra.

    • It is called doing their job like any * dum dum dum * spy agency should do, maybe you have heard of such terms. If you have problems with how they do their job complain to their boss(es).
    • The CIA doesn't have the interest of the American public. They're used to committing illegal acts to get things done. Look up Iran Contra.

      Iran Contra was not a CIA operation: it was an NSC operation - Ollie North was an NSC guy.

      Anyway, right now, the various intel agencies are more dedicated to running a background government of their own, complete w/ their own foreign and defense policies. Which is why they're doing their utmost to undermine the president. Having tasted blood in the form of Lt Gen Flynn, they're now targeting Sessions and anyone else they perceive as a threat, so that they can get their own swamp nominees in.

  • by phayes ( 202222 ) on Wednesday March 08, 2017 @09:55AM (#53999503) Homepage

    Right, so when the CIA/NSA/whatever, uses a vulnerability that gives them access to information -- that it is their reason for existing, they should immediately turn the vulnerability over to the device manufacturer so that they will patch it.

    Because these agencies exist and are financed to perform vulnerability testing for Apple/Google/Microsoft/HP/Dell/ZTE/Huawei/etc!?!?

    Methinks that anyone that can say "that's not how it should work" with a straight face can only be a lawyer, habituated to defining truth as "whatever best serves me/my client".

    We cannot be appalled by the lies of people like Trump and at the same time accept it when people who are say that they are defending us from his and other deceptions are also lying to us.

    EFF, this does not help as it only gives Trump et all more ammunition.

    • by moeinvt ( 851793 ) on Wednesday March 08, 2017 @10:59AM (#53999921)

      Do they really "exist" to gather information, or is gathering information just one tactic that they use as part of a larger mission? I'd argue that the only reason for their existence, or the existence of government in general, is to serve The People. Don't they repeatedly justify their activities by the claim that they're doing us a service?

      Suggesting that the intelligence agencies exist purely for information gathering is the same as saying that the military exists purely to blow things up and kill people. They're good at doing that, but they do it in pursuit of a particular mission. "Invade and Occupy Iraq and find all the WMDs" for example.

      If the mission of the intelligence agencies is to serve The People who pay the taxes and from whom the government derives its just power, they are doing us a disservice because we're not only vulnerable to THEIR information gathering, but vulnerable to anyone else in the world who figures out how to exploit same vulnerabilities.

    • TLDR: If they were not permitted to hold onto vulnerabilities, they would stop finding vulnerabilities.
  • Old stuff (Score:5, Informative)

    by clovis ( 4684 ) on Wednesday March 08, 2017 @10:05AM (#53999581)

    It looks to me like the list of CIA hacking tools is a list of vulnerabilities that we already knew about and have been discusssing since forever, and it's hardly just the CIA that's been taking advantage of the environment.

    And it also looks like a list of vulnerabilities that the vendors all know about and we've all been complaining about.
    Soooo why exactly should the CIA tell Apple "we have an evil app that intercepts messages before encryption" when Apple and everyone else who's been paying attention already knows about these apps. Should the CIA have meetings with every half-assed IOT vendor to tell them that their device is a POS and hiw the CIA takes advantage when we and they all know this already?

  • by schwit1 ( 797399 ) on Wednesday March 08, 2017 @10:09AM (#53999607)
    Journalist Michael Hastings Was Investigating CIA Director John Brennan Before He Was Killed in Fiery Car Crash

    http://www.news.com.au/finance... [news.com.au]

  • by SharpFang ( 651121 ) on Wednesday March 08, 2017 @10:10AM (#53999611) Homepage Journal

    So obsessed with the letter of the mission statement, that you forget its spirit. Subjects you were meant to serve become means, and disposable resources in achieving goals that no longer serve their purpose, as the cost outweighs benefits by way too much.

    CIA was created to protect safety of USA citizens. It got specific goals and means by which it would serve in that mission, and focused on them so much the mission went entirely out of focus. Collateral damage is no longer considered an issue. No matter how much CIA hurts and weakens the USA, it considers the actions a success if the "enemy" (actual or potential) is weakened in the process.

    It's silly to expect a spy agency to obey the law and play always fair. But whatever it does, no matter how nefarious and slimy, it should always put the good of its citizens first. And it's ridiculous to expect whatever they might have gained through holding to these exploits outweighs the losses of the public caused by the non-disclosure. CIA no longer serves USA. CIA just serves goals of CIA, and if means to these goals conflict with the good of USA, so be it, USA be damned.

    • It's silly to expect a spy agency to obey the law and play always fair.

      Exactly, and I laugh at the naive simpletons who don't understand this.

      The only time you should believe this is when you're still in pre-school or a head-injury ward.

  • Not their job (Score:4, Informative)

    by jbrown.za ( 2935583 ) on Wednesday March 08, 2017 @10:14AM (#53999635)

    Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

    The CIA's website says "CIA’s primary mission is to collect, analyze, evaluate, and disseminate foreign intelligence to the President and senior US government policymakers in making decisions relating to national security".

    It seems pretty clear that they are focused on gathering information relating to US national security... it says nothing about protecting private individuals information. I can guess that they will claim to have weighed up the threat to private individuals vs the intelligence gathering advantages of not disclosing these vulnerabilities. I'm not saying I agree with this sentiment, but I don't think this exposes the CIA to the extent that the article suggests.

  • I call Bullshit (Score:5, Informative)

    by mandark1967 ( 630856 ) on Wednesday March 08, 2017 @10:14AM (#53999643) Homepage Journal

    ...Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

    Section 202 of the National Security Act of 1947 established the CIA, and nowhere in the charter does it state it's their responsibility to protect the privacy of Americans.

    • by Sabriel ( 134364 )

      The charter is subordinate to the Constitution, as as every CIA employee who took the oath of office and signed the affidavit affirming same should know:

      “I, [name], do solemnly swear (or affirm) that I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same; that I take this obligation freely, without any mental reservation or purpose of evasion; and that I will well and faithfully discharge the dut

  • "The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices -- including Android phones, iPhones, and Samsung televisions -- that millions of people around the world rely on."

    This is EXACTLY what I would expect of them. This is how they gain their advantage.

    No sane person would ever expect the CIA/NSA/FBI to announce that they found a security vulnerability. It would be like a burglar announcing to a home owner that he found an unlocke

  • by Registered Coward v2 ( 447531 ) on Wednesday March 08, 2017 @11:08AM (#53999979)

    The Vulnerabilities Equities Process doesn't have a mandate to disclosure, merely to determine if they should disclose or keep it for use. The EFF explains it:

    EFF filed a lawsuit under the Freedom of Information Act in 2014 to get access to the government's "Vulnerability Equities Process" (VEP), the policy it uses to decide whether to disclose information about security vulnerabilities or instead withhold this information for its own purposes, including law enforcement, intelligence collection, and "offensive" exploitation.

    EFF v. NSA, ODNI - Vulnerabilities FOIA" [eff.org]

    The EFF has a heavily redacted copy of the policy the key statement in there is "When a decision is made to disseminate..." [eff.org]

  • Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.

    It is the responsibility of US spy agencies not to violate the security and privacy of Americans; it is not their responsibility to fix security and privacy problems domestically.

    You're probably confused because sometimes spy agencies say "in our operations, we protect the security and privacy of Americans", but that's in the same sense of "when we ship glass, we protect it from breaking", not "we protect a

  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Wednesday March 08, 2017 @12:17PM (#54000503)
    Comment removed based on user account deletion
  • ...intelligence documents? Just asking.
  • I have no problem with our intelligence agencies keeping tools and means to hack.

    I DO HAVE a problem when they're used against American citizens and even used to murder them without a trial.

    Our government should be doing everything it can to PROTECT us against China, Russia, etc. It should not be treating >us like antagonists to be targeted and crushed. It's time we stop treating our citizens like "criminals in the making".

  • The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process.

    This is the same group of idiots that are largely responsible for polio still being around (citation below). Failing to accurately assess risk and shortsighted thinking are nothing new to these folks.

    Citation:

    https://www.scientificamerican... [scientificamerican.com]

Be sociable. Speak to the person next to you in the unemployment line tomorrow.

Working...