SoylentNews is people
SoylentNews
We had two stories submitted pertaining the recent announcement that Wikileaks claimed it had received a cache of CIA hacking tools.
Security Firms Assess Impact of CIA Leak
Security firms have started assessing the impact of the CIA hacking tools exposed on Tuesday by WikiLeaks as part of the leak dubbed "Vault 7."
Files allegedly obtained from a high-security CIA network appear to show that the intelligence agency has tools for hacking everything, including mobile devices, desktop computers, routers, smart TVs and cars.
The published files also appear to show that the CIA has targeted the products of many security solutions providers, including anti-malware and secure messaging applications. The list of affected vendors includes Symantec, Kaspersky, Avira, F-Secure, Microsoft, Bitdefender, Panda Security, Trend Micro, ESET, Avast, AVG, McAfee, Comodo and G Data.
While WikiLeaks has not released any of the exploits it has obtained, an initial investigation conducted by security firms indicates that the CIA's capabilities may not be as advanced as some have suggested.
[...] WikiLeaks reported that the CIA had found a way to bypass the encryption of Signal, Telegram, WhatsApp and other secure messaging applications.
While many jumped to conclude that the agency had actually broken the encryption of these apps, WikiLeaks actually meant that gaining access to a mobile device using iOS and Android exploits could have given the CIA access to conversations, without having to break their encryption.
Source: http://www.securityweek.com/security-firms-assess-impact-cia-leak
Julian Assange Offers Exclusive Access to CIA Hacking Tools for Tech Companies
Julian Assange has offered tech companies exclusive access to CIA hacking tools so that they can patch flaws in their software. However, some of the companies claim to have already patched the exploits:
WikiLeaks will provide technology companies with exclusive access to CIA hacking tools that it possesses, to allow them to patch software flaws, founder Julian Assange said on Thursday. The offer, if legitimate, could put Silicon Valley in the unusual position of deciding whether to cooperate with Assange, a man believed by some U.S. officials and lawmakers to be an untrustworthy pawn of Russian President Vladimir Putin, or a secretive U.S. spy agency.
It was not clear how WikiLeaks intended to cooperate with technology companies, or if they would accept his offer. The anti-secrecy group published documents on Tuesday describing secret Central Intelligence Agency hacking tools and snippets of computer code. It did not publish the full programs that would be needed to actually conduct cyber exploits against phones, computers and Internet-connected televisions. [...] Several companies have already said they are confident that their recent security updates have already accounted for the purported flaws described in the CIA documents. Apple said in a statement on Tuesday that "many of the issues" leaked had already been patched in the latest version of its operating system.
(Score: 4, Insightful) by c0lo on Friday March 10 2017, @01:27AM (11 children)
TF Reuters A [reuters.com]:
I'll let aside the truth value of those beliefs and only ask:
* why should the source/way of the vuln disclosure have any influence in patching it?
* Since when patching a vuln is a matter in the political area, on collision course with engineering?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Arik on Friday March 10 2017, @01:35AM (4 children)
Quit thinking. Shut up. Hate Russia.
If laughter is the best medicine, who are the best doctors?
(Score: 1) by Ethanol-fueled on Friday March 10 2017, @01:42AM (2 children)
This is true. If Russian "meddling" stopped a war, or at least a big enemy to not only Russia's people but that of the enemy's host country, then call me a patriot first and a filthy red commie motherfucker second.
(Score: 2) by Arik on Friday March 10 2017, @02:01AM (1 child)
The Berlin wall came down in 1989.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Friday March 10 2017, @05:00AM
Haven't you heard? They're trying to put "the wall" back up again.
(Score: 2) by Spamalope on Friday March 10 2017, @02:13AM
Pretty much. Either the software engineers confirm the flaw or not. It's not like they'd be accepting any code. The worst case is that they spend some time checking.
(Score: 0) by Anonymous Coward on Friday March 10 2017, @02:21AM (1 child)
Its the other way around.
It isn't about correctly fixing vulnerabilities. Its that by working with Assange they boost his stature.
Cue a stupid chest-beater like runaway going on about values and whatever. That's not the point.
The companies do not exist outside of the world, consequently they have to play politics and manage their reputations in order to protect their marketshare. Its a trade off. They need to make those patches, but for a subset of their customers working with Assange is a reputation hit just as for another subset its a reputation boost. Real world life is complicated.
(Score: 2) by c0lo on Friday March 10 2017, @04:06AM
You realize were this would lead?
The Russian hacker finds a 0day and Putin partially discloses the vulnerability; as a result, he hinders Microsoft's effort from patching it... for reputation reasons.
Meanwhile, the hacker continues to do what he does best (no, its not living in his mum basement) and, when Microsoft patches it, Putin just launches a PR campaign boasting how well Russia collaborated with Microsoft.
Do you really think the "for reputation reasons" makes sense as an explanation? I'm more inclined to accept the hypothesis this is just a fnord [soylentnews.org]
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2, Interesting) by Anonymous Coward on Friday March 10 2017, @04:22AM (1 child)
https://en.wikipedia.org/wiki/Rules_for_Radicals#The_Rules [wikipedia.org]
This explains what is going on in our politics. When the message is one you do not like attack the messenger. See rules 6 and 13.
(Score: 2) by DeathMonkey on Friday March 10 2017, @07:39PM
When the message is one you do not like attack the messenger.
So security companies don't like the message "your stuff is insecure?"
"Don't buy our products, you are totally fine."
(Score: 0) by Anonymous Coward on Friday March 10 2017, @06:55PM (1 child)
I'll let aside the truth value of those beliefs and only ask:
* why should the source/way of the vuln disclosure have any influence in patching it?
* Since when patching a vuln is a matter in the political area, on collision course with engineering?
Because the whole thing is a grey scale. As a hypothetical situation, imagine that the Wikileaks was full of Russian hackers. They do a penetration test of DefenseCo, find 500 defects, and report 450 of them. Now the have 50 known vulnerabilities they (or more likely an unknown confederate) can use in the future.
Of course they could do penetration tests anyway, but it would be more likely to trigger an alarm for people monitoring such things. Likewise, they'd be able to test more stuff (e.g. get temporary access into the network) than they could as complete strangers.
I'm sure most of these problems can be mitigated... but I also expect that not all of them can. There is a reason which companies require things like Ethical Hacker Certification before hiring security testers, and it's not 100% because of dumb PHB syndrome.
(Score: 2) by c0lo on Friday March 10 2017, @08:34PM
As opposed to what? Having Microsoft refusing to patch the 450 vulns that were disclosed, because... political grey scale reasons?
How exactly does this work? Where's the benefit in not patching the ones disclosed?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford