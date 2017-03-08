Hey CIA, You Held On To Security Flaw Information -- But Now It's Out. That's Not How It Should Work (eff.org) 56
Cindy Cohn, writing for EFF: The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices -- including Android phones, iPhones, and Samsung televisions -- that millions of people around the world rely on. The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we're all made less safe by the CIA's decision to keep -- rather than ensure the patching of -- vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.
It's their job.
Says who?
Says the CIA on their about page under responsibilities of the director.
Correlating and evaluating intelligence related to the national security and providing appropriate dissemination of such intelligence;
George? Is that you?
And, in your mind, there will never be any problem deciding what is appropriate?
It seems to me to be a typical document meant to cast an 'appropriate' image of an agency whose very nature makes it impossible to easily explain its actions.
I find this action by Wikileaks to be disturbing by its timing. The contents shouldn't be a total surprise.
There's been plenty of hints going back years. In 2003 we had OnStar versus the FBI. A couple of years ago Verizon tried to patent an invention that made your TV bo
The definition of the word "appropriate" makes all the difference in that statement. Is it "appropriate" to sacrifice capabilities in the name of improving the public's general digital security?
Security yes... abroad. Privacy: not so much.
The CIA has been historically responsible for international operations, including spying in and on foreign nations. The FBI is supposed to do those things inside the country.
As long as commercial interests and hence the national security interests and hinge to no small part on the economic stability and power of the US use the same tools that private citizens use, protecting our privacy is basically collateral damage of protecting the US national security.
While I find the abusive techniques being reported as abhorrent as the next fellow, I would challenge the assertion that it's their job to disclose security issues.
I'm not saying that they morally are not obligated. They are morally obligated to do so, in my personal opinion, to maintain the general fabric of security for the country.
But I'm not so sure that they have a legal obligation to do so.
There are some pretty convincing cases where they could argue that an obscure exploit can be disclosed and upgrade the digital security of the nation by 0.01% or they could hold onto it and use it to help prevent specific bad actors with big plans.
So yes, while I'd like to think we're all above board and working towards a bright shiny future with full disclosure, I'm not sure that the charter for agencies running covert ops lists vulnerability disclosure as their operational mandate.
I disagree (Score:3)
It is the job of the CIA to collect intelligence. Central Intelligence Agency, right there in the name. It's not their job to post software patches.
I think what Cindy Cohn meant was "it would sure be nice if the CIA had let us know about the problems rather than keep them secret", and I agree that would have been awfully nice of them - but wanting the CIA to reveal tactical information that helps it do its job is silly.
They're a spy agency, folks. This is what spies do.
It's like how when the CIA discovers a Russian General has a secret to hide they never black mail him but immediately notify the Russian Authorities of their vulnerability.
That's logical, because Russia - like the USA - is the CIA's enemy.
It's the CIAs job to protect Americans and keep them safe. Its job also includes protecting the US' trade secrets and commercial interests. And that by definition entails making sure that enemies of the US, be it military or economic, cannot abuse security problems that may affect US interests.
In other words, yes, pointing those security flaws out to manufacturers and making sure that these flaws cannot be abused by enemies of the US and its assets is pretty much the definition of the CIA mandate.
I don't agree (Score:1)
"Let the USA burn to ashes, as long as we manage to destroy Russia in the process"?
So the NSA/CIA/... are now the publicly financed bug tracking unit of Apple/Google/Microsoft/ZTE/Huawei/Samsung/etc ?!?
Saying otherwise is "Let the USA burn to ashes, as long as we manage to destroy Russia in the process"?!?!
They are also meant to be an external department of DEA, by arresting drug smugglers instead of taking their money to fund own operations.
They are also meant to be the American-funded police of Mexico, and customs agency, in order not to aid smuggling weapons to Mexican mafia.
Oh, and they are meant to be bodyguards of democratically elected politicians in South America, in order not to aid the local dictators in assassinating them.
And they definitely should open public-funded hospitals to aid people, so tha
The problem is that they both have two conflicting goals when it comes to a discovered vulnerability, which can be used both by others to attack us, but also can be used by those agencies to gather intelligence. The term for it in the Intelligence Community is the "Equities Problem." This wasn't an issue in the past, because in the days of the Cold War for instance, the systems/codes/etc the Soviets were using were entirely different from American ones. Discovering a vulnerability in a Soviet cryptography system was only useful for intelligence gathering, whereas patching a vulnerability in an American cryptography system would not imperil our foreign intelligence collection activities.
In today's world however, everyone basically uses the same systems. This presents a quandary for the three-letter-agency folks. Do we patch everything and shut off our ability to gain information, possibly missing key information about a future attack? Do we keep the vulnerabilities secret to enable more collection, knowing that one of those vulnerabilities will someday be used to attack us and that we could have prevented it? Do we somehow try and muddle through, knowing that we may wind up with the worst of both?
Seems there is another problem. Suppose you start from agencies with well defined responsibilities with their matching checks to control them(well, hypothetically, let's say 'better defined') The FBI is domestic but has its constraints. The NSA does hacking but has its constraints . The CIA does spying.
Then if the CIA expands into the domestic front and into the hacking front without the constraints, (and the foreign intervention front as well, it could be said), you have a problem with unchecked power. The
CIA is a spy agency that breaks the law. (Score:3, Interesting)
The CIA doesn't have the interest of the American public. They're used to committing illegal acts to get things done. Look up Iran Contra.
Is there an equivalent of Godwin's Law for Israel and the Jews? Because there ought to be.
That's not how it "should" work (Score:4, Interesting)
Right, so when the CIA/NSA/whatever, uses a vulnerability that gives them access to information -- that it is their reason for existing, they should immediately turn the vulnerability over to the device manufacturer so that they will patch it.
Because these agencies exist and are financed to perform vulnerability testing for Apple/Google/Microsoft/HP/Dell/ZTE/Huawei/etc!?!?
Methinks that anyone that can say "that's not how it should work" with a straight face can only be a lawyer, habituated to defining truth as "whatever best serves me/my client".
We cannot be appalled by the lies of people like Trump and at the same time accept it when people who are say that they are defending us from his and other deceptions are also lying to us.
EFF, this does not help as it only gives Trump et all more ammunition.
Intelligence agencies vs threats–us in the m (Score:2)
Right on! (Score:2)
.... And if the CIA has to run a false flag operation that blows up your children, then at least know that they died to weaken your enemy that wants to blow up your children... that are already blown up.
Their job is to stop Mohammed from blowing up your children.
It's a bit late for that, unless they also have time machines. The best way to prevent "Mohammed from blowing up your children" (and when did that last happen in the USA?) would have been to refrain from blowing up his children. And his wife, and his aunts and uncles and his parents and his friends. And his dog.
Unfortunately that carrier task force sailed decades ago.
Old stuff (Score:5, Informative)
It looks to me like the list of CIA hacking tools is a list of vulnerabilities that we already knew about and have been discusssing since forever, and it's hardly just the CIA that's been taking advantage of the environment.
And it also looks like a list of vulnerabilities that the vendors all know about and we've all been complaining about.
Soooo why exactly should the CIA tell Apple "we have an evil app that intercepts messages before encryption" when Apple and everyone else who's been paying attention already knows about these apps. Should the CIA have meetings with every half-assed IOT vendor to tell them that their device is a POS and hiw the CIA takes advantage when we and they all know this already?
Did CIA kill Mike Hastings by controlling his car? (Score:3)
http://www.news.com.au/finance... [news.com.au]
This is why people fear Artificial Intelligence (Score:3)
So obsessed with the letter of the mission statement, that you forget its spirit. Subjects you were meant to serve become means, and disposable resources in achieving goals that no longer serve their purpose, as the cost outweighs benefits by way too much.
CIA was created to protect safety of USA citizens. It got specific goals and means by which it would serve in that mission, and focused on them so much the mission went entirely out of focus. Collateral damage is no longer considered an issue. No matter how much CIA hurts and weakens the USA, it considers the actions a success if the "enemy" (actual or potential) is weakened in the process.
It's silly to expect a spy agency to obey the law and play always fair. But whatever it does, no matter how nefarious and slimy, it should always put the good of its citizens first. And it's ridiculous to expect whatever they might have gained through holding to these exploits outweighs the losses of the public caused by the non-disclosure. CIA no longer serves USA. CIA just serves goals of CIA, and if means to these goals conflict with the good of USA, so be it, USA be damned.
The CIA's website says "CIA’s primary mission is to collect, analyze, evaluate, and disseminate foreign intelligence to the President and senior US government policymakers in making decisions relating to national security".
It seems pretty clear that they are focused on gathering information relating to US national security... it says nothing about protecting private individuals information. I can guess that they will claim to have weighed up the threat to private individuals vs the intelligence gath
I call Bullshit (Score:3)
Section 202 of the National Security Act of 1947 established the CIA, and nowhere in the charter does it state it's their responsibility to protect the privacy of Americans.